b"   THE STATUS OF ENTERPRISE\n ARCHITECTURE AND INFORMATION\n    TECHNOLOGY INVESTMENT\nMANAGEMENT IN THE DEPARTMENT OF\n           JUSTICE\n\n        U.S. Department of Justice\n      Office of the Inspector General\n               Audit Division\n\n           Audit Report 06-02\n            November 2005\n\x0c            THE STATUS OF ENTERPRISE ARCHITECTURE\n           AND INFORMATION TECHNOLOGY INVESTMENT\n           MANAGEMENT IN THE DEPARTMENT OF JUSTICE\n\n                       EXECUTIVE SUMMARY\n\n       To more effectively manage its Information Technology (IT)\ninvestments in compliance with legislation and regulations, the Department\nof Justice (Department) is in the early stages of developing Enterprise\nArchitecture and Information Technology Investment Management (ITIM)\nprocesses. An Enterprise Architecture is a strategic information asset base\nthat defines the organization\xe2\x80\x99s mission, the information and technologies\nnecessary to perform the mission, and the transitional processes for\nimplementing new technologies in response to changing mission needs.\nEnterprise Architectures provide explicit structural frames of reference that\nallow an understanding of: (1) what the enterprise does; (2) when, where,\nhow, and why it does it; and (3) what it uses to do it. An ITIM process\nenables an organization to manage its IT investments by continuous\nidentification, selection, control, life-cycle management, and evaluation.\nThis structured process provides a systematic method for agencies to\nminimize risks while maximizing the return on its IT investments.\n\n      We performed this audit to determine if the Department is effectively\nmanaging its Enterprise Architecture and ITIM efforts. The Department\xe2\x80\x99s IT\nbudget for fiscal year (FY) 2005 is $2.2 billion for 320 systems, including 22\nmajor systems that cross-cut more than one organizational component of\nthe Department. The Department continues to face significant challenges in\nensuring that its IT systems are developed and deployed in a timely and\ncost-effective manner. For example, IT systems planning and utilization is\none of the Department's top ten management challenges. Further, the\nmanagement of the Department\xe2\x80\x99s IT investments has been a material\nweakness since\nFY 2002.\n\n      Congress enacted the Information Technology Management Reform\nAct of 1996 (known as the Clinger-Cohen Act) to address longstanding\nproblems related to federal IT management. The Clinger-Cohen Act requires\nthe head of each federal agency to implement a process that maximizes the\nvalue of agency IT investments and assesses and manages acquisition risks.\nA key goal of the Act is to ensure that agencies implement IT projects at\nacceptable costs and within reasonable timeframes. Under Clinger-Cohen,\nIT projects are to contribute to tangible and observable improvements in the\nmission performance of each agency. The act also requires the Chief\n\n\n                                     -i-\n\x0cInformation Officer (CIO) of each agency to develop, maintain, and facilitate\nthe implementation of Enterprise Architectures as a means of integrating\nbusiness processes with agency goals. The Office of Management and\nBudget (OMB) has also issued guidance on IT management (Circular A-130),\nwhich requires each federal agency to establish and maintain a capital\nplanning and investment control process for IT.\n\n       The Department has not yet established an Enterprise Architecture or\nITIM processes and therefore is not in compliance with the Clinger-Cohen\nAct, OMB guidance, and Department regulations. However, the Department\nis actively developing and implementing new frameworks aimed at\nestablishing an Enterprise Architecture and ITIM processes. Also, some\nDepartment components, such as the Federal Bureau of Investigation (FBI)\nand the Drug Enforcement Administration (DEA), have made progress in\ndeveloping component-level Enterprise Architectures and ITIM processes.\n\n       The Department\xe2\x80\x99s Justice Management Division, which manages the\nDepartment\xe2\x80\x99s cross-cutting systems and 20 of its own operational and\nadministrative systems, began work in 1999 on developing an Enterprise\nArchitecture and ITIM processes, but these efforts were overtaken by higher\npriority work on the broader Department-level Enterprise Architecture and\nITIM processes. Previous attempts by the Department to develop an\nEnterprise Architecture and ITIM processes using established frameworks\nwere troubled with false starts and a lack of focus and direction. The\nDepartment now anticipates that its current efforts to complete an\nEnterprise Architecture and fully implement ITIM processes will take several\nyears. Without an established, comprehensive Enterprise Architecture and\nmature ITIM processes in place, the Department risks investing in IT\nsystems that may be duplicative, poorly integrated, and costly to maintain.\n\nEnterprise Architecture\n\n      The Department\xe2\x80\x99s Enterprise Architecture efforts began in 1999.\nThese efforts have suffered from a lack of institutional commitment and a\nchanging perception of the composition and priority of a Department\nEnterprise Architecture. After several years spent attempting to develop an\nEnterprise Architecture using generally accepted frameworks, the\nDepartment decided to develop its own approach tailored to the\nDepartment\xe2\x80\x99s needs. Under a two-tiered approach, the Department\xe2\x80\x99s Justice\nManagement Division (JMD) is responsible for developing Enterprise\nArchitecture for the major IT systems that span multiple Department\ncomponents, while component-specific IT systems will be covered by\nEnterprise Architectures developed by the respective Department\n\n\n                                    - ii -\n\x0ccomponents. Together, these two levels of architectures will comprise a\ncomprehensive Department Enterprise Architecture. JMD needs to oversee\nand coordinate the component-level Enterprise Architecture efforts to ensure\nthey contribute to the formation of the Department\xe2\x80\x99s Enterprise Architecture.\nHowever, to date the Department has provided little oversight of the\ncomponents\xe2\x80\x99 development of Enterprise Architectures.\n\n      JMD is developing a framework, called the Capability Delivery Model,\nto establish its Enterprise Architecture. The Department expects to\ncomplete the framework in late FY 2005 and the resulting Enterprise\nArchitecture by late FY 2009. According to Department officials, the\nCapability Delivery Model will not be as high-level as the commonly used\nFederal Enterprise Architecture Framework (FEAF), but rather is intended to\nbe more useful and relevant to day-to-day operations of the Department\nwhile containing the basic elements of the FEAF. The Department expects\nthe Enterprise Architecture developed through the framework to cover the\nDepartment\xe2\x80\x99s major, cross-cutting IT systems and enable the Department to\nmore effectively and efficiently manage its current and future IT\ninfrastructure and applications. The Department estimated spending\napproximately $1 million on Enterprise Architecture efforts in FY 2004 and\npredicts spending approximately $1.1 million in FY 2005. However,\nDepartment officials were unable to provide us with specific expenditures\nrelated to the cost of Enterprise Architecture efforts from FY 1999 to 2004.\n\n      GAO Framework\n\n      In April 2003, the U.S. Government Accountability Office (GAO), in\ncollaboration with the OMB and the CIO Council, published an Enterprise\nArchitecture framework. 1 The GAO framework provides measures to aid in\nassessing the progress of an organization\xe2\x80\x99s Enterprise Architecture efforts.\nThe GAO framework describes five stages of Enterprise Architecture maturity\nand details the elements needed to achieve each stage.\n\n      Applying the GAO five-stage framework to assess what the\nDepartment has achieved toward developing its Enterprise Architecture, we\nfound that the Department has completed six of the nine elements to reach\na Stage 2 maturity level. The Department has adequate resources; a\nprogram office responsible for Enterprise Architecture development and\nmaintenance; a Chief Architect; an Enterprise Architecture framework and\nmethodology; plans for current, target, and transitional architectures in\n\n      1\n        The framework is entitled Information Technology, A Framework for Assessing and\nImproving Enterprise Architecture Management, Version 1.1 (GAO-03-584G), dated April\n2003.\n\n                                         - iii -\n\x0cterms of business, performance, information, application, and technology;\nand application of security within each architectural area. The Department\ndoes not have a Department-wide committee responsible for directing,\noverseeing, and approving the Enterprise Architecture; an automated tool;\nor metrics for measuring Enterprise Architecture progress, quality,\ncompliance, and return on investment.\n\n      The Department has made progress toward attaining Stage 3 maturity.\nThe Department has worked on developing a process for the establishment\nof current, target, and transition architectures. However, the Department\nlacks a written and approved policy for Enterprise Architecture development,\nimplementation, and maintenance. In addition, the Department must\nensure that when completed, all Enterprise Architecture products undergo\nconfiguration management.2\n\n      To attain Stage 4 maturity, the Department must complete additional\nwork before the Enterprise Architecture can be used as intended \xe2\x80\x94 to drive\nsound IT investments that are consistent with the Department\xe2\x80\x99s goals and\nmissions. The Department is working on a current architecture, transition\nplan, and target architecture, which it plans to complete by FY 2009.\n\n      To reach the Stage 5 level of a fully mature Enterprise Architecture, an\norganization must use its Enterprise Architecture to drive IT investments and\nensure systems\xe2\x80\x99 interoperability. The Department cannot meet Stage 5\nrequirements of the Enterprise Architecture Management Framework until it\ncompletes its Enterprise Architecture.\n\n       The foundation of the Department\xe2\x80\x99s Enterprise Architecture lies in its\nIT infrastructure. A consolidated infrastructure will aid the Capability\nArchitecture effort by providing a common conceptual framework to support\ntechnical interoperability, defining a common Department vocabulary, and\nproviding a high-level description of the IT deployed throughout the\nDepartment. We found that the Department is developing the elements of a\nconsolidated infrastructure through pilot programs.\n\n      Completion of a clear and comprehensive Department Enterprise\nArchitecture will require a collaborative effort between the Department and\nthe major Department components. The two-tiered architecture envisioned\nby the Department will require components to contribute Enterprise\nArchitectures that encompass component-specific IT systems, which are not\nincluded in the Department\xe2\x80\x99s cross-cutting Capability Architectures.\n\n      2\n        Configuration management is the process of managing changes to IT systems or\nhardware.\n\n                                        - iv -\n\x0cHowever, some components have been independently developing Enterprise\nArchitectures for several years at considerable cost \xe2\x80\x94 $26.7 million in\nFY 2004 \xe2\x80\x94 without substantive or consistent Department-level guidance or\nmonitoring. While focusing on a Department-wide Enterprise Architecture\nmethodology, the Department has not provided sufficient direction to ensure\nthat components\xe2\x80\x99 Enterprise Architecture efforts are consistent with, and\nmeet the needs of, the overall Department Enterprise Architecture. Also, the\nDepartment has not tracked the development of components\xe2\x80\x99 Enterprise\nArchitectures, validated those Enterprise Architectures that have been\ndeveloped, or ensured that Enterprise Architectures are kept current.\n\n      However, the Department has begun work to improve its oversight\nand guidance in this area. For example, an Enterprise Architecture Program\nManagement Plan, completed June 2005, discusses the Department\xe2\x80\x99s\nEnterprise Architecture organization, interaction between the components\nand the Department, the need for a Department-wide Enterprise\nArchitecture tool, and components\xe2\x80\x99 use of the FEAF.\n\nInformation Technology Investment Management\n\n      A key objective of the Clinger-Cohen Act is to ensure that agencies\nimplement processes for maximizing the value of IT investments and for\nassessing and managing the risks of IT acquisitions. To accomplish this\nobjective, agencies must establish processes to ensure that IT projects are\nbeing implemented at acceptable costs and within reasonable timeframes,\nand that the projects are contributing to tangible, observable improvements\nin mission performance. Additionally, OMB Circular A-130 requires each\nfederal agency to establish and maintain a capital planning and investment\ncontrol process for IT. The Department is in the early stages of developing a\nDepartment-wide ITIM to share IT information, data, and infrastructure.\nSome Department components have developed or are developing their own\nITIM processes, although the Department does not have overall information\nregarding the cost or status of these efforts.\n\n      Prior to FY 2004, the Department was not making investment\ndecisions consistent with the development of a cohesive Department IT\nportfolio. Instead, the Department reviewed component IT concept\nproposals and budget requests to ensure alignment with the Department\xe2\x80\x99s\n2002 IT Strategic Plan. In 2002, the Department initiated ITIM policies and\nprocedures to comply with Clinger-Cohen but found the components were\nmaking slow progress in developing their ITIM processes. In October 2004,\nthe Department issued a framework for developing ITIM processes, called\nthe IT Strategic Management (ITSM) Framework. The Department expects\n\n\n                                    -v-\n\x0cthe ITSM Framework to lead to a Department-level ITIM and a high level of\nIT leadership and centralization of IT functions. The ITSM is intended to\nencompass all IT investments of the Department by providing direction to\nthe larger components on what investment strategies to take, while also\nproviding ITIM processes for smaller components where creating complete\nITIM processes is impractical.\n\n      The Department\xe2\x80\x99s ITSM Framework consists of three phases: IT\nPlanning, IT Funding and Architecture, and IT Investment Oversight.\n\n     \xe2\x80\xa2   The IT Planning Phase establishes IT strategies and priorities for the\n         Department through the development of an IT Strategic Plan and\n         then builds on those strategies through the development of an IT\n         Investment Plan.\n\n     \xe2\x80\xa2   The IT Funding and Architecture Phase builds on the IT Planning\n         Phase. The funding portion uses an IT Investment Plan to\n         formulate a budget. This occurs while the architecture effort\n         develops a \xe2\x80\x9cconceptual architecture\xe2\x80\x9d to guide project development\n         by providing a standard for solution architectures. The primary\n         product of the IT Funding and Architecture Phase is a funded\n         enterprise portfolio.\n\n     \xe2\x80\xa2   The IT Investment Oversight Phase monitors the progress of\n         development and implementation of the Department\xe2\x80\x99s IT\n         investments. This phase consists of a continuing evaluation of the\n         Department\xe2\x80\x99s IT portfolio to determine whether investments should\n         be made, existing systems should continue to operate, or systems\n         should be eliminated.\n\n       With the implementation of the ITSM beginning in 2004, the\nDepartment\xe2\x80\x99s approach to IT management has begun to change from a\ndecentralized to a more centralized approach. According to a Department\nofficial, the Department plans to take a more integrated approach and to\nfocus more on IT management at the Department level. This new vision has\nresulted in a more proactive role by the Department in matching technology\nto identified business needs.\n\n      The ITSM framework is emphasizing the Department\xe2\x80\x99s oversight role\nto ensure that components\xe2\x80\x99 ITIM processes and investments are aligned with\nthose of the Department. The Department\xe2\x80\x99s initial oversight of component\nITIMs began in March 2001 with DOJ Order 2880.1A, which requires\ncomponents to have an ITIM process. Initially the Department required\ncomponents to submit their ITIM methodologies for review, but this\noversight of components\xe2\x80\x99 ITIM processes was abandoned in 2002. After\n\n                                    - vi -\n\x0c2002, the Department changed its focus from the investment process to the\ninvestments and IT products themselves, and priorities became\nproduct-oriented instead of process-oriented. As a result of the ITSM, the\nDepartment is now refocusing on the investment process. However, the\nDepartment\xe2\x80\x99s current oversight effort centers almost exclusively on the FBI\xe2\x80\x99s\nITIM, because the FBI\xe2\x80\x99s IT budget is the largest of the Department\xe2\x80\x99s\ncomponents. While the Oversight Phase in the ITSM framework will be used\nto supervise components\xe2\x80\x99 IT projects, currently there is no Departmental\noversight or approval of ITIM processes other than the FBI\xe2\x80\x99s.\n\nConclusions\n\n      We found that although the Department is in the process of developing\nboth an Enterprise Architecture and ITIM processes based on Department-\ndeveloped frameworks, it is not yet in full compliance with the Clinger-Cohen\nAct, OMB guidance, or Department regulations. However, at this early stage\nof development, we believe the methodologies being implemented by the\nDepartment \xe2\x80\x94 the Capability Delivery Model for an Enterprise Architecture\nand the ITSM framework for ITIM \xe2\x80\x94 will comply with the requirements of\nClinger-Cohen and OMB A-130, if brought to completion as planned. The\nDepartment has also begun to improve its oversight and guidance of the\ncomponents\xe2\x80\x99 Enterprise Architectures and ITIM processes. However,\nadditional oversight of the components is needed to ensure the success of\nthe Capability Delivery Model and the ITSM framework.\n\nOIG Recommendations\n\n     In this report, we make seven recommendations for improving the\nDepartment\xe2\x80\x99s IT management. The recommendations are:\n\n     \xe2\x80\xa2   Complete the Department-wide Enterprise Architecture to ensure\n         that IT investments are not duplicative, are well-integrated, are\n         cost-effective, and support the Department\xe2\x80\x99s mission.\n\n     \xe2\x80\xa2   Provide Departmental guidance to components for the development\n         and maintenance of Enterprise Architectures consistent with the\n         guidance provided by the Federal Enterprise Architecture\n         Framework, the OMB, and the GAO.\n\n     \xe2\x80\xa2   Track and review the planning, development, completion, and\n         updating of component-level Enterprise Architectures.\n\n\n\n\n                                   - vii -\n\x0c\xe2\x80\xa2   Meet the requirements established by the Clinger-Cohen Act by fully\n    implementing the phases outlined by the ITSM framework to ensure\n    that all Department IT investments are covered by an ITIM process.\n\n\xe2\x80\xa2   Ensure that components requiring ITIM processes develop them.\n\n\xe2\x80\xa2   Provide assistance to components in developing and implementing\n    ITIM processes.\n\n\xe2\x80\xa2   Establish a clear schedule for the completion of the ITSM framework\n    and the completion of a mature ITIM process.\n\n\n\n\n                              - viii -\n\x0c                                   TABLE OF CONTENTS\n\nBACKGROUND ............................................................................ 1\nIntroduction ............................................................................... 1\nAuthorities ................................................................................. 1\nDepartmental Guidance ............................................................... 3\nEnterprise Architecture Management.............................................. 5\nIT Investment Management.......................................................... 9\nPrior Reports ............................................................................ 10\n\nFINDINGS AND RECOMMENDATIONS ........................................... 11\nFinding 1: Enterprise Architecture............................................... 11\n      Department-level Enterprise Architecture Efforts ................... 11\n      Status of the Department\xe2\x80\x99s Progress toward Completing\n       the Five Stages of the GAO Enterprise Architecture\n       Framework .................................................................... 14\n      Department IT Infrastructure.............................................. 24\n      Oversight of Components\xe2\x80\x99 Enterprise Architecture\n      Development.................................................................... 26\n      Conclusion ....................................................................... 28\n      Recommendations............................................................. 30\n\nFinding 2: Information Technology Investment Management .......... 31\n      Department-level ITIM ...................................................... 31\n      Conclusion ....................................................................... 45\n      Recommendations............................................................. 47\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ....... 48\nSTATEMENT ON INTERNAL CONTROLS ......................................... 50\nAPPENDIX 1: OBJECTIVE, SCOPE, AND METHODOLOGY ................. 51\nAPPENDIX 2: DOJ and OCIO ORGANIZATION CHARTS ................... 53\nAPPENDIX 3: ACRONYMS .......................................................... 55\nAPPENDIX 4: SUMMARY OF ENTERPRISE ARCHITECTURE\n            MANAGEMENT FRAMEWORK\xe2\x80\x99S MATURITY STAGES,\n            CRITICAL SUCCESS ATTRIBUTES, AND\n            CORE ELEMENTS .................................................. 56\nAPPENDIX 5: SUMMARY OF GAO ITIM FRAMEWORK ...................... 57\n\x0cAPPENDIX 6: DEPARTMENT PROGRESS THROUGH STAGE 3\n            OF THE ENTERPRISE ARCHITECTURE\n            MANAGEMENT FRAMEWORK................................... 60\nAPPENDIX 7: THE THREE COMPONENTS OF THE ITIM PROCESS...... 62\nAPPENDIX 8: PRIOR REPORTS ................................................... 64\nAPPENDIX 9: DEPARTMENT ITSM FRAMEWORK\xe2\x80\x99S\n            CONTINUOUS INTEGRATED PROCESSES .................. 67\nAPPENDIX 10: THE DOJ\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT.......... 69\nAPPENDIX 11: OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S\n             ANALYSIS AND SUMMARY OF ACTIONS\n             NECESSARY TO CLOSE REPORT .............................. 73\n\x0c                               BACKGROUND\n\nIntroduction\n\n      The Department of Justice (Department) relies on 320 Information\nTechnology (IT) systems to conduct the business of the Department through\nits components, offices, boards, and divisions. Most of these IT systems are\nunique to the major organizational components of the Department, although\n22 major systems cross-cut more than one component. In Fiscal Year (FY)\n2005, the Department budgeted nearly $2.25 billion for IT, and almost half\nthe budget applied to cross-cutting systems.\n\nAuthorities\n\n      Clinger-Cohen Act\n\n      Congress enacted the Information Technology Management Reform\nAct of 1996 (known as the Clinger-Cohen Act) to address longstanding\nproblems related to federal IT management. The Clinger-Cohen Act requires\nthe head of each federal agency to implement a process that maximizes the\nvalue of agency IT investments and assesses and manages acquisition risks.\nA key goal of the Act is to ensure that agencies implement IT projects at\nacceptable costs and within reasonable timeframes. Under Clinger-Cohen,\nIT projects are to contribute to tangible and observable improvements in the\nmission performance of each agency.\n\n       Clinger-Cohen also requires the Chief Information Officer (CIO) of each\nagency to develop, maintain, and facilitate the implementation of IT\narchitectures as a means of integrating business processes with agency\ngoals. An IT architecture, commonly referred to as an organization\xe2\x80\x99s\nEnterprise Architecture, is an integrated framework used to acquire, evolve,\nor maintain IT that achieves strategic and information resource management\ngoals.\n\n      The Clinger-Cohen Act assigns to the head of an executive agency the\nresponsibility to develop a capital planning and investment control process\nthat will:\n\n      \xe2\x80\xa2   provide for the selection, management, and evaluation of\n          investments;\n\n      \xe2\x80\xa2   be integrated with the budget, management, and program\n          management processes;\n\n\n                                    -1-\n\x0c       \xe2\x80\xa2   include minimum performance criteria for comparing and prioritizing\n           alternative investment projects;\n\n       \xe2\x80\xa2   identify investments that would result in shared benefits or costs for\n           other agencies;\n\n       \xe2\x80\xa2   identify quantifiable measurements for net benefits and risks of\n           investments; and\n\n       \xe2\x80\xa2   provide the means for senior management to obtain timely\n           information regarding the progress of an investment.\n\n       OMB Circular A-130\n\n      Office of Management and Budget (OMB) Circular A-130 (A-130)\nrequires each federal agency to establish and maintain a capital planning\nand investment control process for IT, commonly referred to as Information\nTechnology Investment Management (ITIM). The major purpose of\nestablishing an ITIM process is to link agency resources with agency results.\nThe ITIM process is intended to guide strategic and operational information\nresource management, IT planning, and the Enterprise Architecture. This is\naccomplished by integrating the agency\xe2\x80\x99s budget execution processes with\nstatutorily required strategic and performance, financial management, and\nacquisition plans. 3\n\n       According to OMB Circular A-130, agencies are to use an ITIM process\nto link mission needs, information, and IT in an effective and efficient\nmanner. An effective ITIM process has three components: select, control,\nand evaluate. The following chart describes the three fundamental phases of\nthis IT investment approach.\n\n\n\n\n       3\n         Each agency prepares these plans pursuant to specific mandates. Agency strategic\nand performance plans are required by the Government Performance and Results Act of\n1993, agency financial management plans are required by the Chief Financial Officer Act of\n1990, and agency acquisition plans are required by the Federal Acquisition Streamlining Act\nof 1994.\n\n                                          -2-\n\x0c     FUNDAMENTAL PHASES OF THE IT INVESTMENT APPROACH\n\n\n\n\n        Source: Government Accountability Office\n\n      A-130 also requires agencies to document and submit their initial\nEnterprise Architectures to the OMB, as well as updates when significant\nchanges occur. The Enterprise Architecture is to describe both the current\narchitecture of an agency and its future, or target, architecture, as well as\nprovide a roadmap enabling the agency to both support its current IT state\nand transition to a targeted environment. Such roadmaps include an\nagency\xe2\x80\x99s capital planning and investment control processes, Enterprise\nArchitecture planning processes, and system life cycle methodologies.\n\nDepartmental Guidance\n\n      In order to meet the requirements of Clinger-Cohen and A-130, the\nDepartment issued guidance to its components in March 2001, which\nprovided a framework for developing ITIM processes, including those\ncovering Enterprise Architectures.\n\n      DOJ Information Resources Management Policy\n\n      In March 2001, the Department\xe2\x80\x99s Assistant Attorney General for\nAdministration approved DOJ Order 2880.1A, Information Resources\nManagement, which established an Information Resources Management\n(IRM) policy for the Department based on Clinger-Cohen. This IRM policy\napplies to all major Department components.\n\n      The order requires each component to designate a CIO to serve as the\nprimary point of contact for IRM policy and requires the component CIO to:\n(1) report directly to the respective component head, and (2) recommend a\n\n\n                                        -3-\n\x0ccomponent-level ITIM process that both budgets for and prioritizes IT\ninvestment deployment. The component CIO is to submit the component\xe2\x80\x99s\nITIM process to the DOJ CIO for approval upon completion. Once the\nprocess is approved by the DOJ CIO, the component is responsible for\nmanaging its respective IT investment portfolios and establishing component\nITIM decision-making forums and policies. The order also requires the\ncomponents to develop and maintain Enterprise Architectures to support\ntheir ITIM processes.\n\n      DOJ ITIM Guide\n\n      In August 2001, the Department issued The Guide to the Department\nof Justice Information Technology Investment Management Process (Guide)\nto implement the Clinger-Cohen Act, OMB Circular A-130, and other IT\nmanagement requirements. 4 The Guide requires all DOJ components to\nimplement an ITIM model and provides structure and support to DOJ\ncomponents developing an ITIM model tailored to the unique characteristics\nof each component. The elements of an adequate ITIM process, regardless\nof component size, mission, or operational requirements, are also included in\nthe Guide. Using the select-control-evaluate methodology, the components\nare to establish a structured, repeatable, and documented process for IT\ninvestments throughout the life cycle of the investment.\n\n       The select-control-evaluate method outlined in the Guide is intended\nto maximize component resources by focusing on strategic investment\nplanning decisions for ongoing and future budget requests. By integrating\neach component\xe2\x80\x99s existing strategic planning, budgeting, and decision-\nmaking processes, the component\xe2\x80\x99s ITIM is to conform with Departmental\npolicies and guidance and include timely and substantive executive-level\nreview at the component level.\n\n      The requirements established in the Guide apply to all IT projects and\nsystems in the Department, and accordingly each Department component\nmust:\n\n      \xe2\x80\xa2   designate a CIO who reports directly to the head of the component\n          as required by DOJ Order 2880.1A,\n\n\n\n\n      4\n          The additional requirements include the Government Performance and Results Act,\nGovernment Paperwork Reduction Act, Federal Acquisition Streamlining Act, Federal\nAcquisition Reform Act, Executive Order 13011, OMB Circular A-11, and OMB Memorandum\nM-00-07.\n\n                                          -4-\n\x0c     \xe2\x80\xa2   establish an Executive Review Board to approve the component\xe2\x80\x99s IT\n         portfolio and provide management oversight of decisions made\n         about specific IT investments contained within the IT portfolio, and\n\n     \xe2\x80\xa2   establish a component ITIM process that is both consistent with\n         Departmental guidance and customized to function within the\n         unique environment of the component.\n\n     Technical Reference Model\n\n      To facilitate the development of the Department\xe2\x80\x99s Enterprise\nArchitecture, the Department issued a Technical Reference Model (TRM) in\n2001. The TRM is not an architecture, but an aid to developing architectures\nfor the Department. The TRM provides a foundation for developing technical\nand operational architectures, for defining services, and for identifying\nstandards for all IT systems funded by the Department. It applies to both\nthe development of new systems and the enhancement of existing systems.\nUse of the Department TRM was intended to promote the development and\ndeployment of information systems that will enhance interoperability among\ncomponents and their information systems.\n\nEnterprise Architecture Management\n\n      In 1999, the Federal Chief Information Officers Council (CIO Council)\nissued the Federal Enterprise Architecture Framework (FEAF). This\nframework is illustrated in the following diagram.\n\n\n\n\n                                    -5-\n\x0c           FEDERAL ENTERPRISE ARCHITECTURE FRAMEWORK\n\n\n\n\n                     Source: Federal CIO Council\n\n      In support of the framework, the CIO Council issued the Practical\nGuide to Federal Enterprise Architecture (Practical Guide) in\nFebruary 2001. 5 The Practical Guide describes Enterprise Architecture as a\nstrategic information asset base that defines the mission, the technologies\nnecessary to perform the mission, and the transitional processes for\nimplementing new technologies in response to changing mission needs. An\nEnterprise Architecture is to provide a clear and comprehensive layout of an\nentity, whether the entity is an organization or a functional or mission area.\nAccording to the Government Accountability Office (GAO), investing in IT\nwithout defining the IT investments in the context of an Enterprise\nArchitecture often results in systems that are duplicative, not well\nintegrated, and costly to maintain.\n\n\n\n       5\n          The CIO Council is the principal interagency forum for improving practices in the\ndesign, modernization, use, sharing, and performance of federal government agency\ninformation resources. The CIO Council\xe2\x80\x99s Practical Guide provides a step-by-step process to\nassist agencies in defining, maintaining, and implementing Enterprise Architectures.\n\n\n\n                                               -6-\n\x0c      An Enterprise Architecture is comprised of four elements: Business\nArchitecture, Data Architecture, Applications Architecture, and Technology\nArchitecture. Together, these elements provide a clear picture of how an\norganization accomplishes its mission, goals, and objectives. It also\nprovides the baseline from which initiatives are planned and later compared.\n\n      Each of the four architectures is comprised of a current or \xe2\x80\x9cas-is\xe2\x80\x9d\nelement that describes the existing environment, a target or \xe2\x80\x9cto-be\xe2\x80\x9d element\nthat describes the proposed environment, and a sequencing plan detailing\nthe transition from the \xe2\x80\x9cas-is\xe2\x80\x9d to the \xe2\x80\x9cto-be\xe2\x80\x9d environment.\n\n      In April 2003, the GAO, in collaboration with the OMB and the CIO\nCouncil, published an updated Enterprise Architecture management\nframework. 6 The GAO\xe2\x80\x99s new Enterprise Architecture management\nframework provides measures to aid management in assessing its progress\nand taking any necessary corrective action. The GAO Enterprise Architecture\nframework consists of three basic components: (1) five hierarchical stages\nof management maturity, (2) categories of attributes that are critical to the\nsuccess of managing any endeavor, and (3) elements of Enterprise\nArchitecture management that form the core of the CIO Council\xe2\x80\x99s Practical\nGuide.\n\n      The GAO framework outlines five maturity stages. These stages\ninclude steps toward achieving a stable and mature process that develops,\nmaintains, and implements the Enterprise Architecture of an agency. As an\norganization improves its Enterprise Architecture management capabilities,\nits Enterprise Architecture management maturity subsequently increases.\nThe five maturity stages are:\n\n      \xe2\x80\xa2   Stage 1: Creating Enterprise Architecture Awareness\n          A Stage 1 organization does not have plans to develop and use an\n          architecture, or it has plans that do not demonstrate an awareness\n          of the value of having and using an architecture. Efforts are ad hoc\n          and unstructured, lack institutional leadership and direction, and do\n          not provide the management foundation necessary for successful\n          development.\n\n\n\n\n      6\n         The framework is entitled Information Technology, A Framework for Assessing and\nImproving Enterprise Architecture Management, Version 1.1 (GAO-03-584G), dated\nApril 2003.\n\n                                         -7-\n\x0c\xe2\x80\xa2   Stage 2: Building the Management Foundation\n    A Stage 2 organization recognizes that an Enterprise Architecture is\n    a corporate asset by vesting accountability in an executive body\n    that represents the entire enterprise, assigning management roles\n    and responsibilities, establishing plans for developing the Enterprise\n    Architecture and for measuring program progress and quality, and\n    committing the resources necessary for developing the architecture.\n\n\xe2\x80\xa2   Stage 3: Developing the Enterprise Architecture\n    A Stage 3 organization focuses on developing architecture products\n    according to the selected framework, methodology, and established\n    management plans. The scope of the architecture has been defined\n    to encompass the entire enterprise, whether organization-based or\n    function-based. Products are intended to describe the organization\n    in business, performance, data, application, and technology terms.\n    Products are to describe the \xe2\x80\x9cas-is\xe2\x80\x9d and \xe2\x80\x9cto-be\xe2\x80\x9d states and the plan\n    for transitioning from the current to the future state (the\n    sequencing plan). The organization is tracking and measuring its\n    progress against plans, identifying and addressing variances, and\n    reporting on its progress.\n\n\xe2\x80\xa2   Stage 4: Completing the Enterprise Architecture\n    A Stage 4 organization has completed its products and obtained the\n    approval of a steering committee (or an investment review board)\n    and the CIO. Evolution of the approved products is governed by a\n    written maintenance policy approved by the head of the\n    organization.\n\n\xe2\x80\xa2   Stage 5: Leveraging the Enterprise Architecture to Manage\n    Change\n    A Stage 5 organization has obtained senior leadership approval of\n    products and has established a written institutional policy stating\n    that IT investments must comply with the architecture, unless\n    granted an explicit compliance waiver. Decision-makers are using\n    the architecture to identify and resolve ongoing and proposed IT\n    investments that are conflicting, overlapping, not strategically\n    linked, or redundant. The organization tracks and measures\n    benefits or return on investment, and adjustments are continuously\n    made to the Enterprise Architecture management process and\n    products.\n\n\n\n\n                                -8-\n\x0c      With the exception of the first stage, each maturity stage is composed\nof the following four success attributes that are critical to the successful\nperformance of any management function:\n\n      \xe2\x80\xa2   Demonstrates Commitment by the head of the enterprise\n          providing support and sponsorship to achieve the success of the\n          Enterprise Architecture effort.\n\n      \xe2\x80\xa2   Provides the Capability to Meet Commitment by developing,\n          maintaining, and implementing Enterprise Architecture through\n          adequate resources, clear definitions of roles and responsibilities,\n          and implementing organizational structures and process\n          management controls that promote accountability and effective\n          project execution.\n\n      \xe2\x80\xa2   Demonstrates Satisfaction of Commitment to develop,\n          maintain, and implement Enterprise Architecture by producing\n          Enterprise Architecture plans and products.\n\n      \xe2\x80\xa2   Verifies Satisfaction of Commitment by measuring and\n          disclosing the extent to which efforts to develop, maintain, and\n          implement the Enterprise Architecture have fulfilled stated goals or\n          commitments. Measuring performance allows for tracking progress\n          toward stated goals, allows appropriate actions to be taken when\n          performance deviates significantly from goals, and creates\n          incentives to influence both institutional and individual behaviors.\n\n       Collectively, these attributes form the basis by which an organization\ncan institutionalize the management of any given function or program, such\nas Enterprise Architecture management. Each attribute contains core\nelements that contribute to the effective implementation and\ninstitutionalization of a critical success attribute. Appendix 4 summarizes\nthe interrelationships of the elements in the Enterprise Architecture\nmanagement process.\n\nIT Investment Management\n\n      In 1997, the GAO issued Assessing Risks and Returns: A Guide For\nEvaluating Federal Agencies\xe2\x80\x99 IT Investment Decision-making, in which the\nGAO stated that investments in IT can have a dramatic impact on an\nagency\xe2\x80\x99s performance. Well-managed IT investments that are carefully\nselected and focused on meeting mission needs can propel an agency\nforward, dramatically improving performance while reducing costs.\n\n\n                                     -9-\n\x0cLikewise, poor investments, those that are inadequately justified or whose\ncosts, risks, and benefits are poorly managed, can hinder and even restrict\nan agency\xe2\x80\x99s performance.\n\n       To provide a method for evaluating and assessing how well an agency\nis selecting and managing its IT resources, in May 2000 the GAO issued\nInformation Technology Investment Management: A Framework For\nAssessing and Improving Process Maturity, and updated the framework in\nMarch 2004. The GAO\xe2\x80\x99s ITIM framework outlines a set of essential and\ncomplementary management disciplines such as ITIM, strategic planning,\nand software development. The ITIM framework supports the fundamental\nrequirements of the Clinger-Cohen Act and is intended to be used as a tool\nfor implementing the required processes. Appendix 5 contains a summary of\nthe GAO ITIM Framework.\n\n      OMB Circular A-130 requires that agencies establish and maintain a\ncapital planning and investment control process that links mission needs,\ninformation, and information technology in an effective and efficient manner.\nA-130 divides the process into the Select, Control, and Evaluate stages. See\nAppendix 7 for summary of OMB Circular A-130\xe2\x80\x99s three ITIM stages.\n\nPrior Reports\n\n      We identified eight reports issued since May 2000 by the GAO and the\nOffice of the Inspector General (OIG) that are relevant to this audit. See\nAppendix 8 for details of the eight reports.\n\n      In general, the GAO has reported that although almost all federal\nagencies had created some type of ITIM process, none had yet implemented\nstable processes addressing all three phases of the select-control-evaluate\napproach. The GAO also reported that the federal government as a whole\nhad not reached a mature state of Enterprise Architecture management.\nThe OIG reports identified vulnerabilities with management, operational, and\ntechnical controls in specific Department IT systems. In addition, the OIG\nexamined the status of Federal Bureau of Investigation (FBI) and Drug\nEnforcement Administration\xe2\x80\x99s (DEA) ITIM processes and Enterprise\nArchitectures.\n\n\n\n\n                                   - 10 -\n\x0c                  FINDINGS AND RECOMMENDATIONS\n\nFinding 1: Enterprise Architecture\n\n     The Department of Justice does not yet have an Enterprise\n     Architecture despite intermittent efforts begun in 1999.\n     However, the Department is developing and implementing\n     frameworks aimed at establishing an Enterprise Architecture,\n     which the Department expects to complete by 2009. When\n     completed, the Enterprise Architecture should provide a blueprint\n     for the Department to more effectively and efficiently manage its\n     current and future IT infrastructure and applications. The\n     Department abandoned its earlier attempts to develop an\n     Enterprise Architecture using generally accepted frameworks and\n     is now developing a Department-level Enterprise Architecture for\n     the major cross-cutting IT systems that span multiple\n     Department components, and component-specific IT systems\n     that will have Enterprise Architectures developed by the\n     respective components. However, we found that the\n     Department is providing little oversight of the components\xe2\x80\x99\n     development of Enterprise Architectures. It is also unclear\n     whether the Department\xe2\x80\x99s two-tier approach will result in an\n     Enterprise Architecture that encompasses all IT throughout the\n     Department. Without a comprehensive Enterprise Architecture,\n     the Department risks investing in IT systems that could be\n     duplicative, poorly integrated, and costly to maintain. The\n     successful completion of the Department\xe2\x80\x99s Enterprise\n     Architecture, along with individual components\xe2\x80\x99 Enterprise\n     Architectures, will mitigate those risks and provide a realistic\n     vision of future IT requirements.\n\nDepartment-level Enterprise Architecture Efforts\n\n       Efforts to develop a Department Enterprise Architecture have been\nunderway since 1999. However, the Department\xe2\x80\x99s efforts to develop an\nEnterprise Architecture have suffered from a lack of institutional\ncommitment and a changing perception of the composition of, and priority\nfor, a Department-level Enterprise Architecture. Adding to this confusion are\nthe additional Enterprise Architectures developed by components.\n\n     In 2001, the Department began developing an Enterprise Architecture\nbased on the Federal Enterprise Architecture Framework (FEAF). The\nDepartment secured funding and hired System, Data, Infrastructure, and\n\n\n                                   - 11 -\n\x0cBusiness Architects and an Investment Management Coordinator. This\ngroup assembled \xe2\x80\x9cas-is\xe2\x80\x9d business, data, and application architectures by\nDecember 2001. However, a Department official told us that other priorities\nprevented this early Enterprise Architecture effort from continuing. Further,\nthe \xe2\x80\x9cas-is\xe2\x80\x9d architectures were not updated and were not useful for later\nefforts to develop a Department-wide Enterprise Architecture.\n\n       In 2002, the Department began using the Federal Enterprise\nArchitecture Management System (FEAMS), a web-based automated tool\nthat provides agencies with access to initiatives aligned to the FEAF and\nassociated reference models to assist in developing an Enterprise\nArchitecture. 7 The FEAMS was designed in close cooperation with the OMB,\nand the OMB required the Department to use the FEAMS to develop its\nEnterprise Architecture. According to a Department official, the Department\nconsidered the FEAMS to be a cumbersome system that made inputting and\nextracting data difficult. Further, while the system served as a storage place\nfor models, it could not perform analyses. Consequently, despite the OMB\xe2\x80\x99s\ndirection, the Department discontinued the FEAMS.\n\n      In 2003, the Department piloted the Popkin System Architect software\nfor use as its automated tool. Although the DEA used the Popkin software in\ndeveloping its Enterprise Architecture, a Department official stated that\nPopkin would require significant modifications to serve the Department\xe2\x80\x99s\npurposes. Based on the results of the pilot, the Department decided not to\nuse Popkin. A Department official stated that commercial off-the-shelf tools\nare now being explored as aids to the development of the Enterprise\nArchitecture. However, the Department has no timetable for acquiring an\nautomated tool to document the development of the Department\xe2\x80\x99s\nEnterprise Architecture. In addition, Department officials were unable to\nprovide expenditure data for Enterprise Architecture efforts prior to FY 2004.\n\n      After rejecting the FEAF along with the FEAMS automated tool, the\nDepartment began devising its own framework intended to lead to a\nDepartment-wide Enterprise Architecture. The Department expects the\nframework, called the Capability Delivery Model, to be completed in late\nFY 2005 and the resulting Enterprise Architecture by late FY 2009.\nAccording to Department officials, the Capability Delivery Model, while\nincluding the basic elements of the FEAF, will not be as high-level as the\nFEAF, but rather is intended to be more useful and relevant to day-to-day\noperations. The Department expects the Enterprise Architecture developed\nthrough the Capability Delivery Model to cover the Department\xe2\x80\x99s major,\n\n       7\n         An automated tool is an electronic repository for capturing, updating, and\ndisseminating an Enterprise Architecture across an organization.\n\n                                          - 12 -\n\x0ccross-cutting IT systems and enable the Department to more effectively and\nefficiently manage its current and future IT infrastructure and applications.\n\n      The Department anticipates the Capability Delivery Model will be a\nmore detailed, refined, Department-specific version of the FEAF. The\nfoundation of the model is the Department\xe2\x80\x99s mission areas. For each\nmission area, component-specific goals and objectives will be developed,\nand capabilities will be identified to achieve them. Mechanisms \xe2\x80\x94 including\nsystems, hardware, and software \xe2\x80\x94 will be obtained to support multiple\ncapabilities. This process is illustrated in the following diagram.\n                                                          Capability Delivery Model\n                                                                      Capability\n                                              Business                         Sub\n          Mission                             Process                      Capability\n                Goal\n                                                         Capability\n        Objective           Objective                      Sub-\n         Objective\n                      Objective\n\n                                              Business   Capability\n                        Objective\n                                                                          Sub-\n                                              Process                                      Mechanism\n                                                                        Capability\n                Goal\n                                                                Capability      Sub-\n               Objective                      Business\n                                  Objective\n                                              Process                         Capability   Mechanism\n        Objective\n\n                        Objective\n                                                                Sub-\n                                                              Capability\n\n                Goal                          Business\n                                                                                           Mechanism\n                                              Process           Capability\n              Objective\n\n\n          Objective\n                            Objective                       Sub-\n                         Objective\n                                                          Capability\n                                              Business                         Sub\n                                              Process                        Capability    Mechanism\n                Goal                                            Sub-\n                    Objective\n                                                              Capability\n         Objective          Objective\n\n\n\n                                              Business\n                                              Process                 Capability\n\n\n\n     Source: Justice Management Division\n\n\n       The Capability Delivery Model is being developed by creating several\npilot architectures for categories of systems, such as an architecture for\nTerrorism Information Sharing, which stems from the Department\xe2\x80\x99s mission\nto prevent terrorism. A goal derived from this mission is the sharing of\ninformation among Department components involved in counterterrorism\nefforts. Examples of objectives within this goal are the interoperability,\naccessibility, and security of shared information. Once the goals and\nobjectives are clarified, relevant component business processes are\nevaluated to develop a capability to meet them. In this example, the\ncapability is the Intelligence Terrorism Information Sharing Environment.\nSpecific IT mechanisms will then be put in place to enable the Terrorism\nInformation Sharing Environment to be implemented.\n\n\n\n                                                                  - 13 -\n\x0c      The Department has developed Capability Architectures for Security,\nPublic Key Infrastructure (PKI), and Telecommunications, and is currently\ndeveloping the following Capability Architectures:\n\n      \xe2\x80\xa2   Terrorism Information Sharing\n      \xe2\x80\xa2   Arson and Explosives\n      \xe2\x80\xa2   Law Enforcement Information Sharing\n      \xe2\x80\xa2   Case Management\n      \xe2\x80\xa2   Financial Management\n      \xe2\x80\xa2   E-Government\n      \xe2\x80\xa2   Integrated Wireless Network\n      \xe2\x80\xa2   Other Classified functions\n\n       The Department expects to combine these Capability Architectures to\nform an overall Department-level Enterprise Architecture and then use it to\nmanage the development of IT systems that cross-cut multiple Department\ncomponents. This approach of using Capability Architectures is what makes\nthe Department\xe2\x80\x99s Enterprise Architecture different from one created through\nthe FEAF. The FEAF methodology relies on the development of various\nreference models that describe an organization\xe2\x80\x99s business, data necessary to\nconduct the business, applications to manage the data, and technology to\nsupport the applications. Instead of relying on various reference models,\nthe Department\xe2\x80\x99s Enterprise Architecture will focus on the specific missions\nof the organization. Department managers told us that this approach\nprovides a more specific and useful architecture tailored to the Department.\nWhile these two methodologies for developing Enterprise Architectures\ndiffer, Department officials stated that the elements required in the FEAF will\nbe present in the Department\xe2\x80\x99s Enterprise Architecture.\n\nStatus of the Department\xe2\x80\x99s Progress Toward Completing the Five\nStages of the GAO Enterprise Architecture Framework\n\n       We used the criteria in the GAO\xe2\x80\x99s Enterprise Architecture framework to\nevaluate the Department\xe2\x80\x99s progress in developing a Department-wide\nEnterprise Architecture. To implement each of the five maturity stages of\nthe GAO framework discussed below, the Department must complete four\ncritical success attributes: (1) demonstrate commitment,\n(2) provide the capability to meet the commitment, (3) demonstrate\nsatisfaction of commitment, and (4) verify satisfaction of commitment. Each\nattribute contains core elements that contribute to the effective\nimplementation and institutionalization of the critical success attribute.\nCollectively, these attributes form the basis by which an organization can\ninstitutionalize management of any given function or program.\n\n\n                                    - 14 -\n\x0c     We found that the Department has nearly completed what equates to\nStage 2 of the five-stage GAO framework and has made some progress\ntoward the third stage of maturity.\n\nStage 1 \xe2\x80\x94 Completed\n\n      In meeting the criteria for this stage, the Department created an\nawareness of the value of developing and using an Enterprise Architecture\nby providing the management foundation necessary for successful Enterprise\nArchitecture development, as defined in Stage 2.\n\nStage 2 \xe2\x80\x94 Nearing Completion\n\n      The Department has completed five of the nine core elements required\nby the GAO framework and has achieved one of the four critical attributes.\nTo meet the criteria for this stage, the Department needs to: (1) ensure the\nexistence of adequate resources; (2) establish Department-wide\ncommittees responsible for directing, overseeing, and approving the\nEnterprise Architecture; (3) develop the Enterprise Architecture using an\nautomated tool; and (4) develop metrics for measuring Enterprise\nArchitecture progress, quality, compliance, and return on investment.\n\n      Critical Attribute 1: Demonstrates Commitment\n\n     To complete the first critical attribute for Stage 2 of the GAO\nframework, the Department must demonstrate its commitment to building\nan Enterprise Architecture management foundation by establishing two core\nelements:\n\n      (1)   ensure the existence of adequate resources; and\n\n      (2)   establish Department-wide committees responsible for directing,\n            overseeing, and approving the Enterprise Architecture.\n\nWe determined the Department has not fully implemented the two core\nelements under the first critical attribute for Stage 2.\n\n      Adequate Resources. Obtaining adequate resources includes:\n(1) identifying and securing the funding necessary to support Enterprise\nArchitecture activities; (2) hiring and retaining employees with the proper\nknowledge, skills, and abilities to plan and execute the Enterprise\nArchitecture program; and (3) selecting and acquiring the tools and\ntechnology to support Enterprise Architecture activities.\n\n\n                                    - 15 -\n\x0c      According to a Department official, the Department spent\napproximately $1 million on developing its Enterprise Architecture in\nFY 2004 and plans to spend approximately $1.1 million in FY 2005, amounts\nthat appear adequate for continuing development at this point. The\nEnterprise Architecture Program Management Office includes the Chief\nArchitect, Enterprise Architecture Program Manager, Business Architect,\nSystems Architect, Data Architect, Infrastructure Architect, Security\nArchitect, Configuration Manager, Senior Systems Architecture Consultant,\nand Technical Writer. In our opinion, these employees have sufficient\nknowledge and experience to establish an Enterprise Architecture.\n\n      However, the Department does not yet have a tool to assist in the\ndevelopment of its Enterprise Architecture that clearly and completely\ndocuments the Department\xe2\x80\x99s Enterprise Architecture. As discussed\npreviously, the Department tested the Popkin System Architect tool and\nfound it unacceptable. The Department is in the process of identifying tools\nand technology to support its Enterprise Architecture activities. Because the\nDepartment does not have all the adequate resources for an Enterprise\nArchitecture, the first core element is not fully implemented.\n\n       Enterprise Architecture Governing Committees. Responsibility for\ndirecting, overseeing, and approving architectures should be given to a\ncommittee or group with cross-representation from throughout the\nenterprise. Establishing agency-wide responsibility and accountability is\nimportant to demonstrate the agency\xe2\x80\x99s commitment to building a\nmanagement foundation for the Enterprise Architecture and obtaining buy-in\nfrom across the agency. Accordingly, the committee or group should include\nexecutive-level representatives from each line of the business, and these\nexecutive representatives should have the authority to commit resources\nand enforce decisions within their respective organizational units.\n\n      The Department had established an Enterprise Architecture Committee\n(EAC) in 2001, which reported to the Department of Justice CIO Council.\nHowever, the EAC is no longer active. 8 The EAC was established to support\nthe formulation and adoption of a Departmental Enterprise Architecture by\nensuring that the Department-level Enterprise Architecture met all federal\nrequirements. Further, the EAC was a deliberative body for the\nDepartment\xe2\x80\x99s chief IT architects to:\n\n      8\n          The Department CIO established the Council to support the implementation of the\nClinger-Cohen Act and other federal laws and policies related to IT management. Among\nother things, the Council reviews and makes recommendations to the Department CIO on IT\nprojects, strategies, policies, and procedures and practices \xe2\x80\x94 both Department-wide or for\nany component.\n\n                                         - 16 -\n\x0c     \xe2\x80\xa2   provide a forum for sharing and discussing Enterprise Architecture\n         information;\n\n     \xe2\x80\xa2   coordinate activities related to Departmental and federal Enterprise\n         Architecture issues and priorities;\n\n     \xe2\x80\xa2   collaborate on Departmental Enterprise Architecture strategies,\n         management issues, and policies and practices;\n\n     \xe2\x80\xa2   make recommendations to the Council for appropriate action;\n\n     \xe2\x80\xa2   foster networking among Departmental IT architecture\n         professionals;\n\n     \xe2\x80\xa2   promote technology and security awareness to enhance Enterprise\n         Architecture planning;\n\n     \xe2\x80\xa2   work together on cross-cutting issues to reduce redundant efforts\n         and improve architectural consistency; and\n\n     \xe2\x80\xa2   support an effective working relationship between the components\n         and the Department\xe2\x80\x99s Justice Management Division (JMD) so that\n         their respective Enterprise Architecture responsibilities can be met.\n\n      In our judgment, the membership of the EAC demonstrated an\nagency-wide leadership commitment to the Enterprise Architecture process.\nThe EAC was comprised of the Chief Architects from the Federal Bureau of\nPrisons; DEA; FBI; Bureau of Alcohol, Tobacco, Firearms and Explosives\n(ATF); Office of Justice Programs; Executive Office for U.S. Attorneys; JMD;\nU.S. Marshals Service; and other key architects within the Department.\nAlso, a component CIO was designated to serve as EAC Chair, and the\nDepartment\xe2\x80\x99s Chief Architect was designated vice-chair.\n\n       The Committee met monthly from 2001 to 2002, then intermittently\nuntil disbanding in early 2004. Although a Department official stated the\ncommittee planned in early 2004 to regroup and begin meeting again, the\nCommittee has been inactive since early 2004. The official explained that\nthe Committee stopped meeting to rethink, regroup, and decide where the\nDepartment-wide Enterprise Architecture efforts were going. Therefore, the\nDepartment no longer meets one of the core elements required under the\nGAO framework to demonstrate its commitment.\n\n\n\n\n                                    - 17 -\n\x0c      Critical Attribute 2: Provides Capability to Meet Commitment\n\n      The completion of the second critical attribute for achieving Stage 2\nrequires the Department to establish three core elements:\n\n      (1) establish a program office responsible for Enterprise Architecture\n          development and maintenance;\n\n      (2) appoint a Chief Architect; and\n\n      (3) develop the Enterprise Architecture using a framework,\n          methodology, and automated tool.\n\nThe Department has made progress toward implementing these three core\nelements. The Department has implemented core elements 1 and 2, but\ncore element 3 is not fully implemented.\n\n      Enterprise Architecture Program Office. Enterprise Architecture\ndevelopment and maintenance should be managed as a formal program.\nAccordingly, responsibility for Enterprise Architecture management should be\nassigned to an organizational unit and not an individual. The CIO Practical\nGuide, discussed in the Background section of this report, states that the\nprimary responsibility of the Enterprise Architecture Program Office is to\nensure the success of the Enterprise Architecture program.\n\n       Within the Department, JMD\xe2\x80\x99s Policy and Planning staff is responsible\nfor maintaining, refining, updating, and applying the Department Enterprise\nArchitecture. To implement this core element, the Policy and Planning staff\ngathers and maintains information about the Department\xe2\x80\x99s current state of\nIT resources and a \xe2\x80\x9cto be\xe2\x80\x9d target state. The target state aims to improve\nthe current state in ways such as minimizing redundancy of IT services,\nimproving the ability to share information Department-wide and with\nexternal stakeholders, and retiring IT assets that are no longer providing\noptimum service. Enterprise Architecture information, tightly coupled with\ncost information on IT business investments, helps the CIO make strategic\ndecisions about the direction and evolution of the Department\xe2\x80\x99s IT services.\n\n       Chief Architect. The CIO Practical Guide and the GAO framework state\nthat an agency should appoint a Chief Architect who is responsible and\naccountable for the Enterprise Architecture and whose background and\nqualifications include both the business and technology areas of the\norganization. Additionally, the Chief Architect is responsible for ensuring the\n\n\n\n                                    - 18 -\n\x0cintegrity of the Enterprise Architecture development process and for the\ncontent of the Enterprise Architecture products.\n\n      The Department has a Chief Architect who is the principal advisor to\nthe Department\xe2\x80\x99s Chief Technology Officer and CIO on all Department-wide\nEnterprise Architecture matters. The Department\xe2\x80\x99s Chief Architect is\nresponsible for:\n\n     \xe2\x80\xa2   leading the development of Enterprise Architecture products,\n\n     \xe2\x80\xa2   serving as the technology and business leader in ensuring the\n         integrity of architectural development processes and products,\n\n     \xe2\x80\xa2   providing technical and strategic planning and policy development,\n         and\n\n     \xe2\x80\xa2   providing guidance to capital planning and IT investments.\n\n      Framework, Methodology, and Automated Tool. The Department is\ndeveloping its own Enterprise Architecture framework and methodology\nthrough its Capability Delivery Model. The Department\xe2\x80\x99s framework is to be\nan architecture based on capability areas within the entire Department and\nits components, with individual capability architectures acting as building\nblocks that are intended to form a Department-wide Enterprise Architecture.\nThis Department-wide Enterprise Architecture will include both cross-cutting\nand component-specific capabilities.\n\n       An Enterprise Architecture automated tool serves as the storehouse of\nthe architecture products. Architecture products include the current and\ntarget architectures and the transition plan. The choice of tool is based on\nthe agency\xe2\x80\x99s needs and the size and complexity of the architecture. As\nstated previously, the Department tested the Popkin automated tool to store\nits architecture products but is now exploring alternatives to Popkin.\n\n     Critical Attribute 3: Demonstrates Satisfaction of Commitment\n\n      The completion of the third critical attribute for achieving\nStage 2 requires the Department to establish an Enterprise Architecture\nProgram Plan that includes the following core elements:\n\n     (1) describes both the current and the target architectures as well as\n         a transition plan;\n\n\n\n                                   - 19 -\n\x0c     (2) describes the current and target architectures in terms of\n         business, performance, information, application, and technology;\n         and\n\n     (3) determines the application of security within each architectural\n         area.\n\nThe Department\xe2\x80\x99s Enterprise Architecture Completion and Use Plan\ncompletes the three core elements under Critical Attribute 3.\n\n      Current and Target Architectures, and Transition Plan. The\ninteragency CIO Council requires that agencies have a written Enterprise\nArchitecture Program Plan. The plan should describe the steps to be taken\nand the tasks to be performed in managing the Enterprise Architecture\nprogram. The plan should also make provision for the development of\narchitectural descriptions of how the organization currently operates (the\ncurrent architecture), how it intends to operate in the future (the target\narchitecture), and how it will transition from the current to the target\nenvironment (the transition plan).\n\n     The Department submitted a Department Enterprise Architecture\nCompletion and Use Plan to the OMB in February 2005, and is working on a\nDepartment Enterprise Architecture Program Management Plan. The\nDepartment\xe2\x80\x99s Management Plan will:\n\n     \xe2\x80\xa2   establish a Department-wide \xe2\x80\x9cas-is\xe2\x80\x9d architecture;\n\n     \xe2\x80\xa2   update a capability-based target \xe2\x80\x9cto-be\xe2\x80\x9d architecture; and\n\n     \xe2\x80\xa2   develop a transition or sequencing plan based on the Department-\n         wide \xe2\x80\x9cto-be\xe2\x80\x9d architecture.\n\n      Security. The Department has a comprehensive Security Architecture\nin place that will be aligned with security standards for the Department\xe2\x80\x99s\noverall Enterprise Architecture efforts.\n\n     Critical Attribute 4: Verifies Satisfaction of Commitment\n\n      The completion of the fourth critical attribute to achieve Stage 2\nrequires the Department to ensure that the Program Plan calls for\ndeveloping metrics for measuring Enterprise Architecture progress, quality,\ncompliance, and return on investment. The Department has not\nimplemented this core element.\n\n\n                                   - 20 -\n\x0c      The measurement of Enterprise Architecture progress, quality, and\ncompliance is necessary to ensure that the Enterprise Architecture meets the\ntargeted milestones and is compliant with necessary regulations. Measuring\nreturn on investment would tell the Department what benefits are realized\nby the development of the Enterprise Architecture in relation to its cost.\n\n      Developing Metrics for Measuring Enterprise Architecture Progress.\nThe Department has not yet established metrics for measuring Enterprise\nArchitecture progress, quality, compliance, and return on investment. The\nDepartment\xe2\x80\x99s Enterprise Architecture Completion and Use Plan states that\nEnterprise Architecture links performance measures to some portions of the\narchitecture segments. This does not meet the criteria for the fourth\nattribute.\n\nStage 3 \xe2\x80\x94 Limited Progress\n\n      The Department is moving from building the Enterprise Architecture\nmanagement foundation to developing Enterprise Architecture products for\nStage 3. To complete Stage 3, the Department must still: (1) establish an\norganization policy for the Enterprise Architecture development; (2) ensure\nthat Enterprise Architecture products are under configuration management;\n(3) ensure that Enterprise Architecture products describe both the current\nand target environments of the agency; (4) ensure that the business, data,\napplication, and technology descriptions address security; and (5) ensure\nthat progress against Enterprise Architecture plans is measured and\nreported.\n\n      The Department has made limited progress toward attaining\nStage 3 maturity of the GAO Enterprise Architecture Management\nFramework. The Department has made progress on developing a process\nfor developing current, target, and transition architectures. However, the\nDepartment lacks a written and approved policy for Enterprise Architecture\ndevelopment, implementation, and maintenance. In addition, the\nDepartment must ensure that when completed, all Enterprise Architecture\nproducts undergo configuration management and that the Enterprise\nArchitecture addresses security, as stated in the Enterprise Architecture\nCompletion and Use Plan.\n\n     Critical Attribute 1: Demonstrate Commitment\n\n      To complete the first critical attribute for Stage 3 of the Enterprise\nArchitecture Management Framework, the Department must establish the\nfollowing core element: develop a written and approved organization policy\n\n\n                                   - 21 -\n\x0cfor the Enterprise Architecture development. The Department has not\ncompleted this core element.\n\n      According to the Enterprise Architecture Management Framework, an\norganization policy is an important means for ensuring agency-wide\ncommitment to developing the Enterprise Architecture and for clearly\nassigning responsibility for doing so. The architecture policy should define\nthe scope of the architecture, including a description of the current and\ntarget architecture, as well as a transition plan that supports the move from\nthe current to the target architecture. Additionally, the policy should provide\nprocesses for Enterprise Architecture oversight and control, review, and\nvalidation. The policy should also address the purpose and value of an\nEnterprise Architecture, its relationship to the organization\xe2\x80\x99s strategic vision\nand plans, and its relationship to the capital planning process.\n\n      The Department has not established a written and approved\norganization policy for Enterprise Architecture development. As described in\nStage 2, the Department established the Enterprise Architecture Program\nOffice with responsibility for developing the Enterprise Architecture. In\naddition, the Enterprise Architecture Program Management Plan \xe2\x80\x94 discussed\nin Stage 2 \xe2\x80\x94 outlines a high-level scope of the architecture, including a\ndescription of the planned current and target architecture, as well as the\ntransition plan. The Enterprise Architecture Program Management Plan also\naddresses Enterprise Architecture oversight, control, review, and validation\nresponsibilities, but in little detail.\n\n      Critical Attribute 2: Provides Capability to Meet Commitment\n\n     The completion of the second critical attribute for achieving Stage 3\nmaturity requires the Department to establish the following core element:\nensure that Enterprise Architecture products are under configuration\nmanagement. 9 The Department has not yet met this standard.\n\n      According to the draft of the Department Enterprise Architecture\nProgram Management Plan, the Enterprise Architecture Program Office will\nperform configuration management of Enterprise Architecture Products. The\nOffice will also prepare and publish policy to include establishment of\nnecessary configuration committees.\n\n\n\n\n      9\n        Configuration management is the process of managing changes to IT systems or\nhardware.\n\n                                        - 22 -\n\x0c     Critical Attribute 3: Demonstrates Satisfaction of Commitment\n\n     The completion of the third critical attribute for achieving\nStage 3 maturity requires the Department to establish three core elements:\n\n       (1) ensure that Enterprise Architecture products describe the current\n           and target agency environments and the transition plan;\n\n       (2) ensure that the current and target environments are described in\n           terms of business, data, application, and technology; and\n\n       (3) ensure that the business, data, application, and technology\n           descriptions address, or will address, security.\n\nThe Department has not implemented core elements 1 and 2. The\nDepartment addresses security in its Enterprise Architecture plans;\ntherefore, core element 3 is complete.\n\n      Current and Target Architectures, and Transition Plan. According to\nthe Enterprise Architecture Program Management Plan, Enterprise\nArchitecture products will describe the current and target agency\nenvironments, as well as the transition plan. As stated earlier, the\nDepartment has not completed all components of the Enterprise\nArchitecture. The current, target, and transition processes for the\nDepartment are to be identified, approved, and documented by the end of\nFY 2006. The Enterprise Architecture Program Plan also states that\nEnterprise Architecture products \xe2\x80\x94 current and target architectures and the\ntransition plan \xe2\x80\x94 will be described in terms of business, data, application,\nand technology.\n\n      Security. The Department Enterprise Architecture Completion and Use\nPlan states that Enterprise Architecture will align security standards to the\nTechnical Reference Model.\n\n     Critical Attribute 4: Verifies Satisfaction of Commitment\n\n      The completion of the fourth critical attribute to achieve Stage 3\nmaturity requires the Department to establish the following core element:\nensure that progress against Enterprise Architecture plans is measured and\nreported. The Department has not implemented this core element.\n\n    As stated in Stage 2, the Department has not established metrics for\nmeasuring Enterprise Architecture progress. The measurement of such\n\n\n                                   - 23 -\n\x0cprogress against Enterprise Architecture development plans is necessary to\nensure that the development meets targeted milestones.\n\nStage 4 \xe2\x80\x94 to be Completed\n\n      Additional work must be completed before the Enterprise Architecture\nis used as intended in Stage 4 \xe2\x80\x94 to drive sound IT investments that are\nconsistent with the Department\xe2\x80\x99s goals and missions.\n\n      To complete Stage 4, an agency must: (1) establish policy for\nmaintaining the Enterprise Architecture; and (2) complete the Enterprise\nArchitecture, including the current and target architectures along with the\ntransition plan to get from the current to the targeted environments. The\ncompleted Enterprise Architecture must be described in terms of business,\ndata, application, and technology; the descriptions must address security\nand be approved by the agency CIO and the committee or group\nrepresenting the agency or the investment review board. The Department\nhas not established a policy for maintaining the Enterprise Architecture.\n\nStage 5 \xe2\x80\x94 to be Completed\n\n      To reach Stage 5 maturity, an agency must use its Enterprise\nArchitecture to drive IT investments and ensure systems\xe2\x80\x99 interoperability.\nThe Department cannot meet Stage 5 requirements of the Enterprise\nArchitecture Management Framework until it completes its Enterprise\nArchitecture.\n\n       According to the GAO framework, an organization at Stage 5 maturity\nhas completed the Enterprise Architecture and secured senior leadership\napproval of it. Further, decision-makers are using the architecture to\nidentify and address ongoing and proposed IT investments that are\nconflicting, overlapping, not strategically linked, or redundant. Stage 5\nagencies are therefore able to avoid unwarranted overlap across investments\nand ensure maximum system interoperability, which in turn ensures the\nselection and funding of IT investments with manageable risks and\nacceptable returns on investment.\n\nDepartment IT Infrastructure\n\n       The foundation of the Department\xe2\x80\x99s Enterprise Architecture lies in its\nIT infrastructure. The Department\xe2\x80\x99s IT Strategic Plan describes the state of\nthe Department\xe2\x80\x99s IT infrastructure as follows.\n\n\n\n                                    - 24 -\n\x0c      Currently, the Department\xe2\x80\x99s infrastructure is largely\n      decentralized, fragmented and outdated. It is essentially an\n      amalgamation of infrastructures designed, developed and\n      maintained by individual components to meet their specific\n      needs. This approach has introduced an unnecessary level of\n      complexity, cost and risk, and inadvertently created technical\n      barriers to sharing information.\n\n       The IT Strategic Plan establishes a Strategic Initiative to \xe2\x80\x9cdevelop the\nInfrastructure architecture layer of the Department\xe2\x80\x99s Enterprise\nArchitecture.\xe2\x80\x9d Specifically, \xe2\x80\x9cThe Department will work with the components\nto develop a Department-wide infrastructure architecture \xe2\x80\x94 a layer of the\nDepartment\xe2\x80\x99s overall Enterprise Architecture. The infrastructure architecture\nwill provide a common conceptual framework to support technical\ninteroperability, define a common DOJ vocabulary, and provide a high-level\ndescription of the information technology deployed throughout the\nDepartment.\xe2\x80\x9d\n\n      A consolidated infrastructure will aid the Capability Architecture effort.\nThe Department is developing the elements of a consolidated infrastructure\nthrough a number of pilot programs. One example is the Public Key\nInfrastructure (PKI), created to resolve the Department\xe2\x80\x99s computer security\nconcerns. PKI is intended to implement an IT security program as well as\ncomplete the design, development, and implementation of a secure and\ntrusted IT environment.\n\n      The Infrastructure Architect is the person responsible for consolidating\nthe Department\xe2\x80\x99s IT infrastructure. The Infrastructure Architect has\ndescribed the following four critical elements of a consolidated infrastructure.\n\n      \xe2\x80\xa2   Ubiquitous Communication: single, Department-wide\n          communications application.\n\n      \xe2\x80\xa2   Uniform Security: Department-wide security architecture and\n          standards.\n\n      \xe2\x80\xa2   Identity: identification of users and management with access to\n          Department systems.\n\n      \xe2\x80\xa2   Directory Service: Department-wide user database.\n\n\n\n\n                                     - 25 -\n\x0c       The Infrastructure Architect foresees cost savings, economies of scale\nin IT acquisitions, and enhanced enforcement of security and management\nof IT performance as benefits resulting from this consolidation. At the time\nof our field work, a draft Consolidated Infrastructure plan was nearing\ncompletion.\n\nOversight of Components\xe2\x80\x99 Enterprise Architecture Development\n\n      Completion of a clear and comprehensive Department Enterprise\nArchitecture will require a collaborative effort between the Department and\nthe major Department components. The two-tiered architecture envisioned\nby the Department will require components to contribute Enterprise\nArchitectures that encompass those component-specific IT systems that are\nnot included in the Department\xe2\x80\x99s cross-cutting Capability Architectures.\nSome components, such as the FBI and the DEA, have made progress in\ndeveloping their component-level Enterprise Architectures. Others, such as\nJMD, have not. In JMD\xe2\x80\x99s case, efforts begun in 2003 to develop a\ncomponent-level Enterprise Architecture were held in abeyance as work\nbegan on the higher-priority Department-level Enterprise Architecture.\n\n       The Department\xe2\x80\x99s FY 2004 Report on Information Technology identifies\nfunds budgeted for Enterprise Architecture and related planning. The table\nprovides a 1-year snapshot of money budgeted for Enterprise Architecture\nefforts.\n\n\n\n\n                                    - 26 -\n\x0c      FY 2004 Component Enterprise Architecture (EA) Budgets\n\n                                                             Total\n     Component                    Budget Line Item\n                                                          Investment\nBureau of Alcohol,\nTobacco, Firearms and      EA/Configuration Management     $3,900,000\nExplosives\nAntitrust Division         EA/IT/IRM                       $1,065,000\nFederal Bureau of\n                           IRM                               $928,000\nPrisons\nCommunity Oriented\n                           IT Architecture                   $475,000\nPolicing Services\nDrug Enforcement           EA/ITIM/Capability Maturity\n                                                           $1,204,000\nAdministration             Model\nFederal Bureau of\n                           EA/ITIM                         $2,786,000\nInvestigation\nInterpol                   IT Architecture/Planning          $175,000\nJustice Management         JMD/IMSS Architecture\n                                                           $1,521,000\nDivision                   Program\nNational Drug\n                           EA/ITIM/IRM                       $940,000\nIntelligence Center\nOffice of the Inspector\n                           EA and Planning                   $100,000\nGeneral\nOffice of Justice\n                           IT Management/Architecture      $2,700,000\nPrograms\nUS Attorneys               IT Program Management             $602,000\nUS Marshals Service        IT Management                  $10,317,000\nTotal                                                    $26,713,000\nSource: Department of Justice FY 2004 Budget\n\n       In 2001, the Department requested that components submit their ITIM\nprocesses for review. However, the Department did not make a similar\nrequest for Enterprise Architectures. The Department also issued guidance,\nbased on a Technical Reference Model, to develop a high-level Enterprise\nArchitecture for the Department. A Department official stated that the only\nguidance provided to the components on Enterprise Architecture was\nthrough the Technical Reference Model and the Enterprise Architecture\nCommittee (discussed in the Department Enterprise Architecture section of\nthis report). Also, the Department did not track the development of\ncomponents\xe2\x80\x99 Enterprise Architectures, validate Enterprise Architectures\ndeveloped, or ensure that Enterprise Architectures were kept current.\n\n\n\n\n                                        - 27 -\n\x0c       According to the CIO, the Department conducts little oversight of\ncomponent Enterprise Architectures. The CIO described a \xe2\x80\x9cbroad brush\xe2\x80\x9d\nprogrammatic approach to the oversight of component Enterprise\nArchitectures, which includes establishing standards and Enterprise\nArchitecture tools, developing work plans for a Department-wide Enterprise\nArchitecture, and establishing management of component-level Enterprise\nArchitectures. However, as of June 2005, none of these efforts had been\ncompleted. At the same time, according to the CIO, the Department takes a\n\xe2\x80\x9cdeep dive\xe2\x80\x9d approach in overseeing the components with selected Enterprise\nArchitecture capability areas. According to the Chief Technology Officer\n(CTO), as discussed earlier the capability areas cross-cut multiple\ncomponents and include Financial Management, Law Enforcement\nInformation Sharing, Case Management, and the Justice Consolidated Office\nNetwork (JCON). The CTO also said there are several E-government-related\narchitecture efforts in progress at the federal level for which the Department\nis either the managing partner or is an active participant. Therefore, these\nselect few architectures merit more intensive Department oversight.\n\n       The CTO stated that components should develop project-specific\narchitectures as necessary for projects that are a priority to the component,\nbecause these projects may not be included in the Department Enterprise\nArchitecture. For architecture projects currently identified as common\nsolutions or E-government projects, the Department Enterprise Architecture\nwill provide guidance to the Enterprise Architecture program teams as\nnecessary. The CTO stated that even though the Department is already\ninformally involved to varying degrees with some components\xe2\x80\x99 architecture\nefforts, it is in the process of establishing a formal Department Enterprise\nArchitecture governance structure. The Department Enterprise Architecture\nprogram document will provide guidance to the components and program\nmanagers of other cross-component architecture efforts at the same time.\nAccording to the CIO, some of the common solution projects are underway\nand need a lesser degree of involvement from the Department\xe2\x80\x99s Enterprise\nArchitecture team. For architecture efforts that are identified as common,\nmulti-component solutions in the future, the Department Enterprise\nArchitecture will take the lead in developing the Enterprise Architecture\nteams and play a greater role in developing the architecture. All\narchitecture efforts within the Department are to map their Enterprise\nArchitecture to meet OMB, FEAF, and GAO guidance.\n\nConclusion\n\n       An organization without a completed Enterprise Architecture assumes\nthe risk that it will invest in IT that is duplicative, not well integrated, costly,\n\n\n                                       - 28 -\n\x0cor not supportive of the agency\xe2\x80\x99s mission. Until a Department-wide\nEnterprise Architecture is completed, the Department faces such risks. Once\nthe Enterprise Architecture is completed, the risks will be reduced and the\nDepartment will have a more realistic vision of its future IT requirements.\n\n       The current effort to develop a Department-wide, capability-based\nEnterprise Architecture for systems that cross-cut two or more components\nis in an early stage. Instead of being based on the generally accepted FEAF,\nthis Enterprise Architecture will be based on the Department\xe2\x80\x99s self-created\nframework: the Capability Delivery Model. We believe it is too soon in the\ndevelopment of the model to determine if it will contain all the necessary\nelements of an Enterprise Architecture. It is also too soon to determine if,\nwhen fully developed, the model will result in an Enterprise Architecture that\nconforms to GAO, FEAF, and OMB guidance.\n\n        The Department believes that the most efficient approach to its\nEnterprise Architecture is to focus its efforts on major, cross-cutting IT\nsystems with individual architectures for groups of systems such as case\nmanagement systems. Component-level projects are expected to be\ncovered by component-level Enterprise Architectures, which together with\nthe Capability Architectures are to form the Department Enterprise\nArchitecture. The Capability Delivery Model approach focuses on the high-\nvisibility and high-cost cross-cutting IT projects. We believe that focusing\nmanagement attention on high-risk projects is a prudent approach.\nHowever, a successful Enterprise Architecture should present a clear and\ncomprehensive view of an organization, and the Department must take care\nto avoid a disjointed, fragmented, or incomplete Enterprise Architecture.\nOur audit found a lack of consistent coordination between the Department\nand component Enterprise Architecture efforts, which increases the risk that\nthe Department\xe2\x80\x99s two-tiered approach could result in gaps within the\nDepartment\xe2\x80\x99s Enterprise Architecture.\n\n       In the course of conducting this audit, and in reviewing previous audits\nof DEA and FBI IT management, we found that the Department\xe2\x80\x99s oversight\nof component Enterprise Architecture efforts in general continues to be\ninconsistent. Components have been developing Enterprise Architectures for\nseveral years at considerable cost without ongoing and substantive\nDepartment-level guidance or monitoring. The Department is not currently\nproviding direction to ensure that components\xe2\x80\x99 Enterprise Architecture\nefforts are consistent with, and will meet the needs of, the overall\nDepartment Enterprise Architecture under development. The Department\xe2\x80\x99s\ntwo-tiered approach to Enterprise Architecture will require all major\ncomponents responsible for IT systems to develop Enterprise Architectures\n\n\n                                    - 29 -\n\x0cin order for the overall Department Architecture to present a clear and\ncomprehensive view of the Department\xe2\x80\x99s IT environment. However, the\ncomponents have generally been working on their Enterprise Architectures\nindependently, without specific guidance or monitoring to ensure full\ncompatibility with the Department-level Enterprise Architecture when it is\ndeveloped.\n\n      The Department has begun to improve its oversight and guidance of\ncomponents\xe2\x80\x99 Enterprise Architecture efforts. For example, an Enterprise\nArchitecture Program Management Plan, completed in June 2005, discusses\nthe Department\xe2\x80\x99s Enterprise Architecture organization, interaction between\nthe components and the Department, the need for a Department-wide\nEnterprise Architecture tool, and components\xe2\x80\x99 use of the FEAF. However,\nmore progress is needed, and we provide the following recommendations for\nthe Department.\n\nRecommendations:\n\n     We recommend that JMD:\n\n    1. Complete the Department-wide Enterprise Architecture to ensure\n       that IT investments are not duplicative, are well-integrated, are cost-\n       effective, and support the Department\xe2\x80\x99s mission.\n\n    2. Provide Departmental guidance to components for the development\n       and maintenance of Enterprise Architectures consistent with the\n       guidance provided by the FEAF, the OMB, and the GAO.\n\n    3. Track and review the planning, development, completion, and\n       updating of component-level Enterprise Architectures.\n\n\n\n\n                                    - 30 -\n\x0cFinding 2: Information Technology Investment Management\n\n     The Department of Justice is in the early stages of developing the\n     ITIM processes required by the Clinger-Cohen Act. These\n     processes include selecting, evaluating, and managing IT\n     investments while ensuring that agency missions are being\n     supported. The Department\xe2\x80\x99s initial efforts to comply with\n     Clinger-Cohen began in 2001, but progress has been limited. In\n     2004, the Department developed an Information Technology\n     Strategic Management (ITSM) Framework that should enable the\n     Department to implement Department-level ITIM processes and\n     properly oversee the components\xe2\x80\x99 efforts. The Department\n     expects its ITSM framework to lead to high-level IT leadership\n     and centralization of IT functions, guide components that need\n     assistance in implementing their own ITIM processes, and provide\n     ITIM processes for smaller components that do not yet have\n     them. The ITSM framework is also intended to result in\n     integrating the components\xe2\x80\x99 ITIM processes with the\n     Department\xe2\x80\x99s high-level ITIM processes. To fully comply with\n     Clinger-Cohen, however, the Department must ensure that all IT\n     investments follow effective selection, evaluation, and\n     management practices. Due to the early stages and fragmented\n     nature of the Department\xe2\x80\x99s overall ITIM development, the\n     Department risks making IT investments that are duplicative or\n     that do not fully support the agency\xe2\x80\x99s mission. Such risks will be\n     greatly mitigated once the Department and its components\n     establish and follow mature ITIM processes.\n\nDepartment-level ITIM\n\n      A key objective of the Clinger-Cohen Act is to ensure that agencies\nimplement processes for maximizing the value of IT investments and for\nassessing and managing the risks of IT acquisitions. To accomplish this\nobjective, agencies must establish processes to ensure that IT projects are\nbeing implemented at acceptable costs and within reasonable timeframes,\nand that the projects are contributing to tangible, observable improvements\nin mission performance. Additionally, OMB Circular A-130 requires each\nfederal agency to establish and maintain a capital planning and investment\ncontrol process for IT. The Department is in the early stages of developing\nDepartment-wide ITIM processes.\n\n      The Department and its components made various attempts to\ndevelop ITIM policies and procedures under Clinger-Cohen beginning in\n\n\n                                   - 31 -\n\x0c2001, but progress has been slow. In October 2004, the Department issued\na framework for developing ITIM processes, called IT Strategic Management\n(ITSM). The purpose of the ITSM framework is to:\n\n      \xe2\x80\xa2   consolidate the processes of IT policy and planning into a\n          coordinated IT planning and management effort;\n\n      \xe2\x80\xa2   serve as a communication vehicle for delineating the relationships\n          between Departmental and component IT planning and\n          management activities;\n\n      \xe2\x80\xa2   define products for which guidance and performance measures can\n          be developed; and\n\n      \xe2\x80\xa2   provide a context for building tactical project plans to operate IT\n          selection, evaluation, and management.\n\nOnce the processes created through the ITSM framework are fully\ndeveloped, the Department expects that the components\xe2\x80\x99 ITIM processes\nand functions will be integrated within the Department\xe2\x80\x99s overall ITIM\nstructure. The Department-level ITIM will then support all components\nregardless of size, funding, or resources. In order to achieve this objective\nand ensure coverage of all IT projects within the Department, components\nthat have or are developing ITIM processes will be required to incorporate\nthe Department\xe2\x80\x99s ITSM framework into their own frameworks.\n\n      The following tables summarize Clinger-Cohen and OMB A-130\nrequirements and how the ITSM framework is to meet them.\n\n\n\n\n                                     - 32 -\n\x0cClinger-Cohen Requirements                  ITSM Framework Characteristics\n\nProvide for selection,                      A framework that aligns with the\nmanagement, and evaluation of               OMB Investment Management\ninvestments.                                Process Model for the selection,\n                                            control, and evaluation of\n                                            investments. 10\n\nIntegrate with budget, financial,           An IT Funding and Architecture\nand program management                      Phase that integrates OMB IT\nprocesses.                                  submissions with the Department\n                                            budget processes.\n\nInclude minimum performance                 An IT Strategic Planning Phase that\ncriteria for comparing and                  considers strategic alternatives,\nprioritizing alternative investment         technical alternatives, and\nprojects.                                   investment alternatives.\n\nIdentify investments with shared            An Investment Planning Process for\nbenefits of costs for other                 Enterprise Architecture that\nagencies.                                   develops Enterprise Architecture\n                                            with Federal partners to provide\n                                            optimal solutions.\n\nIdentify quantifiable                       Performance measures to be\nmeasurements for net benefits               developed for investments.\nand risks of the investment.\n\nProvide the means for senior                An Investment Oversight Phase with\nmanagement to obtain timely                 tools and mechanisms to review\ninformation regarding the                   processes for reporting timely\nprogress of an investment.                  information to senior management.\n\nSource: Department ITSM Framework\n\n\n\n\n       10\n          The OMB Investment Management Process Model establishes an analytical\nframework for linking IT investment decisions to strategic objectives and business plans in\nfederal organizations. Federal organizations are to use this model in developing their own\nITIM frameworks.\n\n                                           - 33 -\n\x0cOMB Circular A-130                   ITSM Framework\nRequirements                         Characteristics\n\nMonitor investments.                 An IT Oversight Phase for\n                                     monitoring investments, and a\n                                     web-based Dashboard to\n                                     summarize the status of\n                                     investments. (The Dashboard is\n                                     discussed later in this report.)\n\nPrevent redundancy of existing or    A Strategic Planning Process that\nshared IT capabilities.              analyzes the Department\xe2\x80\x99s\n                                     capability needs and develops\n                                     strategies for meeting these needs,\n                                     using non-redundant technologies.\n\nDemonstrate the impact of            An Investment Planning Process\nalternative IT investment            that considers alternative technical\nstrategies and funding levels.       and resource strategies.\n\n                                     An IT Funding and Architecture\n                                     Phase that works in conjunction\n                                     with the Budget Process to\n                                     optimize funding levels.\n\nIdentify opportunities for sharing   An Investment Planning Process for\nresources and consider their         Enterprise Architecture and Human\ninventory of information as          Capital, which includes the\nresources.                           development of transition\n                                     strategies for optimizing technical\n                                     Departmental assets and human\n                                     capital.\n\nSource: Department ITSM Framework\n\n      To assist organizations with developing ITIM processes, the GAO\ndeveloped ITIM: A Framework for Assessing and Improving Process Maturity,\nwhich provides a method for evaluating how well an agency is selecting and\nmanaging its IT resources. This framework is built around the\nselect/control/evaluate approach described in Clinger-Cohen. The most\ncurrent version, issued in 2004, is a maturity model composed of five\n\n\n\n\n                                     - 34 -\n\x0cprogressive stages. 11 Appendix 4 outlines the GAO framework. We intended\nto use the GAO ITIM framework to evaluate the status of the Department\xe2\x80\x99s\nITIM but did not do so because of the Department\xe2\x80\x99s limited progress in\nestablishing its ITIM processes. Instead, we examined the Department\xe2\x80\x99s\nITSM framework to determine whether it would allow for the development of\neffective ITIM processes.\n\n      Since 2002, the Department has worked on various policies and\nprocedures related to developing a Department-wide ITIM. In addition to\nthe Department\xe2\x80\x99s ITSM framework, the Department created a web-based\n\xe2\x80\x9cDashboard\xe2\x80\x9d tool to show IT investment information and status, an IT\nStrategic Plan to set IT strategic goals, and a Department Executive Review\nBoard (DERB) Charter to provide oversight for components\xe2\x80\x99 IT investments.\nA discussion of the ITSM framework and the other initiatives follows.\n\nDepartment IT Strategic Management Framework\n\n       ITSM Phases\n\n      The Department ITSM Framework is designed to establish a\nDepartment-wide ITIM process in three phases: IT Planning, IT Funding and\nArchitecture, and IT Investment Oversight.\n\n       \xe2\x80\xa2    The IT Planning Phase is to establish the IT strategies and priorities\n            through the development of an IT Strategic Plan and then build on\n            those strategies through the development of an IT Investment Plan.\n\n       \xe2\x80\xa2    The IT Funding and Architecture Phase builds from the IT Planning\n            Phase. The IT Investment Plan is used to formulate a budget, while\n            the architecture portion of the phase develops a \xe2\x80\x9cconceptual\n            architecture\xe2\x80\x9d to guide project development. The main product of\n            the IT Funding and Architecture Phase is a funded enterprise\n            portfolio.\n\n       \xe2\x80\xa2    The IT Investment Oversight Phase monitors the progress of\n            development and implementation of the Department\xe2\x80\x99s IT\n            investments. This phase consists of a continuing evaluation of the\n            Department\xe2\x80\x99s IT portfolio to determine whether investments should\n            be made, existing systems should continue to operate, or systems\n            should be eliminated.\n\n\n\n       11\n           To attain a higher stage of maturity, an agency must meet certain requirements\nfor that stage in addition to meeting all of the requirements for the previous stages.\n\n                                          - 35 -\n\x0c      As shown in the following ITSM framework model, the three phases\nare applied to business cycles and are supported by core processes and\nproducts, an enterprise portfolio, and performance measures. A discussion\nof the Department\xe2\x80\x99s efforts to implement the model follows. 12\n\n\n\n                                        IT Strategic Management (ITSM) Framework \xe2\x80\x93 Framework Model\n\n                         ITSM Phases\n                                                            IT Planning Phase                         IT Funding & Architecture Phase                         IT Investment Oversight Phase\n                                ITSM Business Cycle\n                                                                                 Planning Year\n                                                                                                                                        Budget Year                Operation Years                    +\n                                                       OCT - DEC         JAN - MAR            APR - JUN      JUL - SEP\n                                                                                                      Select                                                               Control                 Evaluate\n            IT S M C ore P roc esse s & P rod ucts\n\n\n\n\n                                                                   DOJ IT                 DOJ IT                   OMB Submission               Conceptual Architectures              Formal\n                                                                Strategic Plan        Investment Plan             & Candidate Portfolio          & Enterprise Portfolio              Acceptance\n\n\n                                                     Strategic Planning Investment Planning          Budget Submission          Pass-back and Spend Plan      Tier I:                             Evaluation\n                                                           Process            Process                    Process                        Process               OCIO Dashboard Process               Process\n\n                                                                                                                                                              Tier II:\n                                                                                                                                 Capability Architectures\n                                                                                                                                                              Project Oversight Process (POP)\n                                                                                                                                         Process\n\n                                                                                                                                                              Tier III\n                                                                                                                                                              Executive Oversight Process\n\n\n                                        ITSM Continuous Integrated Processes\n\n                                                                                                                    Portfolio Management\n                                                                                                                    Enterprise Architecture\n                                                                                                                         Human Capital\n                                                                                                                          IT Security\n                                                                                                                            E-Gov\n                                                                                                                  Infrastructure Management\n                                                                                                                     Business Operations\n\n                                                                                                                                                                                      DOJ Office of the CIO\n\n\n Source: Department of Justice, Office of the Chief Information Officer\n\n\n\n\n       12\n                          For a summary of the ITSM Continuous Integrated Processes, see Appendix 9.\n\n                                                                                                                  - 36 -\n\x0c      IT Planning Phase\n\n       The Strategic Planning Process, part of the IT Planning Phase,\nidentifies the long range goals, objectives, strategies, and measures of\nproject success. IT strategic planning occurs early in the ITIM process\nplanning years and results in an IT strategic plan. The Department\xe2\x80\x99s IT\nStrategic Plan was first created in 2002 and revised in 2005. The plan\ncontains priorities that drive management and investment decisions for the\nremainder of the strategic management cycle. Strategic planning also\nconsiders business priorities, information use and management\nrequirements, technology integration, and other strategies to migrate the\ncurrent IT structure to the target structure. Furthermore, the Strategic\nPlanning Process assesses the current state of IT programs, identifies\nmission requirements for IT, and defines the goals to be pursued and the\nmeasures to be used to monitor progress. This strategy guides the\ndevelopment of the Department IT portfolio and component investment\nplans.\n\n      Prior to FY 2004, investments were not selected or funded in\nconsideration of developing a cohesive Department IT portfolio. Instead, the\nDepartment reviewed component concept proposals and budget requests to\nensure alignment with the 2002 IT Strategic Plan and IT Guiding Principles. 13\nThe principles were to be applied Department-wide.\n\n      In FY 2004, the Department began implementing the ITSM\nframework\xe2\x80\x99s IT Planning Phase for the FY 2005 budget. Each component\nmet to discuss the Department\xe2\x80\x99s IT needs that were to be integrated into\ncomponent IT systems and concept proposals. Since 2004, review meetings\nhave been held with components proposing major IT investments. While no\nnew Department-wide IT Strategic Planning policies or procedures were\nissued in FY 2004, the Department took the following actions for Strategic\nPlanning:\n\n      \xe2\x80\xa2    updated a Strategic Planning Guide from 2003 describing the\n           methodology and processes used to complete the tasks associated\n           with developing the IT Strategic Plan;\n\n      \xe2\x80\xa2    completed an IT Annual Needs Report based on input from the\n           components;\n\n\n\n      13\n           Concept proposals explain a component\xe2\x80\x99s investment plan and objective.\n\n\n\n\n                                          - 37 -\n\x0c      \xe2\x80\xa2   created an IT Annual Needs Chart to outline major IT issues that\n          will surface over the next couple of years; and\n\n      \xe2\x80\xa2   updated the IT Strategic Plan after 3 years to include performance\n          measurement criteria and align the plan with the Department\xe2\x80\x99s\n          mission.\n\n      The Department completed its IT Investment Plan in May 2005 and is\ncurrently updating the plan for submission to the OMB for the next budget\ncycle. In FY 2006 and beyond, the Department plans to work on processes\nand products related to the Strategic, Transition, and Investment plans and\ndevelop a Human Capital Plan.\n\n      IT Strategic Planning Process\n\n      The Department has recognized the need to focus more attention on\nIT management and information sharing. As a result, the Department has\ndecided to take a more proactive role in matching technology to identified\nbusiness needs. Instead of a decentralized approach whereby only the\nDepartment components develop ITIM processes, the Department wants to\ndevelop a more centralized approach to IT management by developing\nDepartment-level ITIM processes. This approach requires components\nwithout an ITIM system to use the Department\xe2\x80\x99s ITSM framework, while\ncomponents with established ITIM processes will need to integrate the\nDepartment\xe2\x80\x99s ITIM processes with their own. The plan\xe2\x80\x99s three main goals\nare to provide: (1) information sharing among all components, (2) a reliable\nand cost-effective infrastructure to conduct Department-wide electronic\nbusiness, and (3) management processes and policies to support and\nimprove the Department\xe2\x80\x99s IT performance and continuity.\n\n      The Department\xe2\x80\x99s IT Strategic Plan is based on the 2003 IT Strategic\nPlanning Guide. The strategic goals listed in the IT Strategic Plan include the\nfollowing.\n\n      \xe2\x80\xa2   Information sharing: to provide quality electronic solutions that\n          allow mission information to be shared in a timely manner inside\n          and outside the Department.\n\n      \xe2\x80\xa2   Infrastructure and Security Services: to provide a seamless,\n          reliable, secure, and cost-effective infrastructure for conducting\n          Department-wide electronic business.\n\n      \xe2\x80\xa2   IT Management: to establish, institute, and improve management\n          processes and policies to support and improve the Department\xe2\x80\x99s IT\n          performance and process.\n\n                                      - 38 -\n\x0c     Investment Planning Process\n\n      The Investment Planning Process identifies specific investments\nneeded to achieve the strategic priorities of the Department consistent with\nthe IT Strategic Plan, and seeks to create an investment plan that balances\nbusiness priorities and funding resources. Using the IT Strategic Plan and\nthe investment plans from portfolio managers and the components, IT\nplanners and business leaders prioritize needed investments. The\nDepartment IT Investment Plan is the result of this investment planning.\nThe Investment Plan identifies the recommended IT investments to support\nthe IT Strategic Plan and the investment performance measures that define\nthe expected business results. The Investment Planning Process provides a\nmethod for converting the strategic goals and objectives defined by the IT\nStrategic Plan into a set of prioritized investments for the future.\n\n       For the Investment Planning Process, the Department developed a\ndraft investment process guide, an investment plan with performance\nmetrics, portfolio strategies, and a Transition Planning Process Guide.\nAdditionally, IT questionnaires and surveys from component CIOs were\ncollected to determine human capital needs. The development of the Human\nCapital Plan is ongoing and involves performing the analysis, planning, and\norganizational transitions needed to staff and manage IT investment\nportfolios and approved projects. Additionally, the skills and staffing needed\nto implement the IT initiatives to be funded are assessed, and the actions\nrequired to budget for, reassign, acquire, develop, and retain human\nresources are performed. To date, the Department appears to be making\nprogress toward completing the Investment Planning Process.\n\n     IT Funding and Architecture Phase\n\n       The IT Funding and Architecture Phase of the Department\xe2\x80\x99s ITSM\nframework consists of ongoing processes that establish the budget and\narchitectures to be used by the Department and its components in\ndeveloping, operating, or terminating IT projects. Funding for IT projects\nfollows the same process the Department uses to obtain funding for all other\nfunctions: the Budget Submission Process. This process converts the IT\nInvestment Plan into a fully documented and properly formatted IT budget\nrequest ready to be combined with the Department\xe2\x80\x99s full budget request.\nThis involves the development of investment business cases and other\ndocumentation from Department staffs, components, and other sources, and\nthe integration of these individual investments into a unified portfolio for\nreview by the Department\xe2\x80\x99s leadership and submission to OMB.\n\n\n\n\n                                    - 39 -\n\x0c       The subsequent pass-back from OMB and Spend Plan Process, as part\nof the IT Funding and Architecture Phase, leads proposed investments\nthrough the budget process to become incorporated into the enterprise\nportfolio. This occurs through three steps: (1) the OMB pass-back, which\nprovides the Department with initial OMB budget decisions; (2) the\nsubmission of the final Department budget, which is then incorporated into\nthe fiscal year budget by the OMB; and (3) the revision of the IT candidate\nportfolio and preparation of spending plans after the fiscal year budget is\nenacted. Once funded, the candidate investments are moved to the\nenterprise portfolio for investment management. The enterprise portfolio\ncontains all of the funded IT investments for the Department.\n\n      In the Capability Architectures process, project managers work toward\nconverting the strategies defined in the strategic planning process into an\noverall Enterprise Architecture. Capability architectures are used by the\nproject managers to drive the development of solution architectures for\ninvestment projects. These capability architectures, which focus on\nproviding Enterprise Architecture capabilities for Department-wide support of\nbusiness needs, are also used to review solution architectures to ensure\ncompliance with initial conceptual architectures.\n\n       According to Department officials, the objective for Enterprise\nArchitecture efforts in FY 2003 and prior years was to build a foundation to\ndevelop a mature Enterprise Architecture. Business, System, and Data\nArchitectures were developed along with an Enterprise Architecture\nManagement Systems Tool. For the FY 2004 budget, requests for\ninvestment and project funding were submitted to the Department by\nproject managers. The Attorney General\xe2\x80\x99s IT Budget Guidance, which is a\nmemorandum initiating the annual Department budget process, was also\ndeveloped for funding the Department\xe2\x80\x99s IT projects. For FY 2005, an\nintegrated budget submission process was developed and, according to\nDepartment officials, this process allowed the Department to work closely\nwith the JMD Budget Staff to integrate Department IT needs into the budget.\nFor FY 2006 and future years, the Department intends to institutionalize an\nintegrated budget submission process. However, the actual processes and\npolicies have not yet been determined. Additionally, a Budget Submission\nGuide and a performance measurement document are still needed to\ncomplete the IT Funding and Architecture Phase.\n\n     IT Oversight Phase\n\n      As mandated by Clinger-Cohen, each agency head must establish\nITIM processes and provide oversight by determining: (1) which employees\nshould perform certain IT management functions; (2) if certain IT functions\n\n                                   - 40 -\n\x0cshould be contracted to outside sources; (3) which IT missions, processes,\nand administrative practices must be revised to support each other in\nmaking significant investments; and (4) if the information security policies,\nprocedures, and practices are adequate.\n\n     In complying with the oversight responsibilities outlined in Clinger-\nCohen, Department Order 2880.1A stated that the Department\xe2\x80\x99s CIO is\nresponsible for:\n\n      \xe2\x80\xa2   developing and implementing Department ITIM policy and\n          guidance;\n\n      \xe2\x80\xa2   confirming that each Department component has a decision-making\n          infrastructure and appropriate ITIM processes in place to make\n          sound business investments based on thorough planning, risk\n          management, project prioritization, and funding availability;\n\n      \xe2\x80\xa2   assisting components in developing and implementing ITIM\n          processes and providing value-added services or information on\n          cross-cutting issues or investments;\n\n      \xe2\x80\xa2   ensuring Department IT investments are consistent with\n          Department IT strategic planning, budget, acquisition, and program\n          management decisions;\n\n      \xe2\x80\xa2   supporting the IT Investment Board and CIO Council in performing\n          their duties;\n\n      \xe2\x80\xa2   performing oversight of components\xe2\x80\x99 IT investments and ITIM\n          processes through the annual budget process, independent\n          technical assessments, and regularly scheduled briefings on the\n          components\xe2\x80\x99 portfolios and the individual IT investments within the\n          portfolios;\n\n      \xe2\x80\xa2   providing for coordinated or centralized management of cross-\n          cutting IT investments to ensure system and data compatibility;\n\n      \xe2\x80\xa2   incorporating component investment portfolios into a Department\n          corporate IT investment portfolio that supports Departmental\n          priorities; and\n\n      \xe2\x80\xa2   advising the Attorney General on initiating, continuing, modifying,\n          or terminating IT investments.\n\n\n\n\n                                     - 41 -\n\x0c      In response to Order 2880.1A, issued in March 2001, 29 of the 34\nmajor components required to submit ITIM processes to the Department\ncomplied by September 2002. 14 Five components did not submit an ITIM\nprocess for approval, while another five components that were not required\nto submit a process submitted one. None of the ITIM processes were fully\ndeveloped. According to a Department IT official, the five components that\ndid not submit ITIM processes were small and did not have significant IT\ninvestments. Initially, the Department tracked whether the components\nsubmitted ITIM processes and whether the processes were approved by the\nDepartment\xe2\x80\x99s CIO. The Department responded to the components, stating\nthat their ITIM processes would be evaluated and either accepted or\nrejected. The Department then provided suggestions for improving their\nprocesses. In addition, the Department surveyed the components in May\n2003, nearly 1 year after the ITIM processes were submitted, to determine\nhow the components had progressed. According to the Department CIO, the\ncomponents were having a difficult time developing their ITIM processes and\nprogress was slow. In JMD\xe2\x80\x99s case, its efforts begun in 2002 to develop\ncomponent-level ITIM processes were abandoned in 2004 as it focused on\ndeveloping the ITSM framework for the Department\xe2\x80\x99s overall ITIM effort.\nThe Department is planning to issue a revised version of Order 2880.1A\nwhich is expected to better outline component responsibility as well as the\nDepartment\xe2\x80\x99s oversight role. The Department does not have an estimated\ndate for issuance of the revised version.\n\n      For the components considered by the Department to be so small that\nit would not be beneficial to spend time developing a component-based ITIM\nprocess, yet they have IT systems necessitating an ITIM process, the\nDepartment developed what it refers to as an \xe2\x80\x9cITIM-lite\xe2\x80\x9d process to facilitate\ndecision making throughout the life cycle of an IT project. The purpose of\nITIM-lite was to allow management to:\n\n       \xe2\x80\xa2    select the most worthwhile projects through systematic review of\n            new and ongoing investments,\n\n       \xe2\x80\xa2    control the investments to ensure they are appropriately managed\n            to deliver the benefits promised, and\n\n       \xe2\x80\xa2    evaluate the investments to validate that they deliver what is\n            expected.\n\n\n\n       14\n         28 C.F.R. lists 35 components, but we did not include the Office of International\nPrograms because it is no longer part of the Department of Justice.\n\n                                          - 42 -\n\x0cThe Department abandoned ITIM-lite and in 2004 began developing its\nDepartment-wide ITIM processes, which are expected to encompass the\nsmaller components.\n\n      The Department has not recently been overseeing the development of\ncomponents\xe2\x80\x99 ITIM processes. Instead, the Department decided to\nconcentrate its oversight attention on components\xe2\x80\x99 actual investments.\nThe one exception, according to Department officials, is the tracking of the\nFBI\xe2\x80\x99s development of ITIM processes because the FBI accounts for about\n50 percent of the Department\xe2\x80\x99s IT budget. Oversight of the development of\nother components\xe2\x80\x99 ITIM processes was abandoned in 2002. The Oversight\nPhase in the ITSM Framework, as discussed below, involves monitoring\ncomponents\xe2\x80\x99 IT projects rather than overseeing or approving components\xe2\x80\x99\nITIM processes or the development of the processes. According to the\nDepartment CIO, oversight of the components\xe2\x80\x99 ITIM processes is currently\nperformed on an ad hoc basis.\n\n      According to the ITSM framework, project oversight will occur during\nthe operational years of IT projects and will be divided into three tiers: the\nDepartment Dashboard Process (Tier 1), the Project Oversight Process\n(Tier 2), and the Executive Oversight Process (Tier 3).\n\n        The Department Dashboard (Tier 1) is a query tool that provides\nusers with the ability to access a database of Department components\xe2\x80\x99 IT\nsystems using a web browser interface. The Dashboard is designed to\nprovide the Department, component CIOs, and project managers with a\n\xe2\x80\x9cquick reference\xe2\x80\x9d on the current cost, schedule, performance, and risks for\nmajor or highly visible component investment projects that are in the\nDepartment\xe2\x80\x99s IT portfolio. Projects are identified as being in a state of\ncompletion, planning, operation, or on hold to be reviewed by the\nDepartment CIO. The Department Dashboard gives component project\nmanagers and reviewers access to IT project data. Data in the Dashboard\nincludes project cost, schedule performance, and risks. The Dashboard is\naccessible through the Department Intranet.\n\n       Project managers record the risks, milestones, and costs of projects\ninto the Dashboard. Based on the risks associated with the project, the\nproject manager rates the status of the project as red, yellow, or green.\nIssues regarding excessive cost or funding shortfalls are rated red. Issues\nwith the potential to have excessive costs or funding shortfalls are rated with\na yellow status. If there are no excessive cost issues, projects are rated\ngreen. Department officials then review the project information in the\nDashboard, paying special attention to projects designated as red or yellow.\nProject managers are required to update the status of their projects by the\n\n                                    - 43 -\n\x0c10th business day of each month. However, the project managers can bring\na project to the attention of the Department CIO at any time. The\nDashboard flags any changes made in baseline data and then displays the\nproject with a red flag. A Department Dashboard official can then follow up\nwith inquiries to the project managers. The Dashboard categorizes projects\nby component. Once the Dashboard is reviewed by the component CIO and\nthe Dashboard Policy Advisor, the Department CIO reviews it. The CIO then\nholds meetings to discuss the status of projects. Currently all components,\nwith the exception of the FBI, are connected to the Dashboard, which covers\napproximately 80 investments. Project managers are involved in the\nprocess through training sessions, a user guide, and one-on-one meetings as\nnecessary.\n\n       The Project Oversight Process (Tier 2) will consist of approximately 12\nto 15 projects that are selected from those in the first tier for review and\nface-to-face meetings with project managers to make sure the projects are\nmeeting their expected performance. The projects selected for this tier are\nthose that may be high-risk, over budget, politically sensitive, or otherwise\ndemand closer scrutiny. A Department official explained that this is the level\nat which members of the IT and Policy and Planning Staff in the Department\nwill become directly involved.\n\n         In the third tier, the Executive Oversight Process, approximately six\nprojects will be selected from Tier 2, based on Department or congressional\npriorities, for evaluation from an investment, business, and return-on-\ninvestment perspective. This process is carried out by the Department\nExecutive Review Board (DERB) assembled at the level of the CIO,\nController, and Deputy Attorney General. This process began as a pilot\nprogram, but its scope is now being expanded to include the Department\xe2\x80\x99s\nentire portfolio.\n\n       According to the GAO\xe2\x80\x99s ITIM framework, instituting IT investment\nboards is a key component in the IT investment management process\nbecause the boards define the membership, guiding policies, operations,\nroles, responsibilities, and authorities for each designated board and, if\nappropriate, each board\xe2\x80\x99s support staff. Prior to the establishment of the\nDERB in 2004, various committees and boards were formed to facilitate the\nsharing of information between the Department and its components,\nincluding the following.\n\n      \xe2\x80\xa2   The CIO Council, comprised of representatives of the major\n          components, monitored cross-cutting investments and provided\n\n\n\n\n                                    - 44 -\n\x0c           technical expertise to the Department CIO and Senior Management\n           Council. 15\n\n      \xe2\x80\xa2    The Enterprise Architecture Committee, comprised of the Chief\n           Architects of the major components, held monthly meetings with\n           the CIO Council to discuss investment progress.\n\n      \xe2\x80\xa2    The Data Architecture Sub-Committee ensured that data standards\n           conformed with the Enterprise Data Architecture. Specifically, the\n           committee supported transitioning from stovepiped information\n           systems to a shared data environment.\n\nBy the end of FY 2003, all but the CIO Council were disbanded and replaced\nwith the DERB, which is now responsible for reviewing the major IT\ninvestments of all components.\n\n       A DERB official explained that investments are selected for review\nbased on an investment\xe2\x80\x99s budget or the mission-critical nature of the\ninvestment. In terms of budget, two types of projects will be reviewed:\nprojects that are to run for more than 10 years and funded at more than $20\nmillion, or short-term projects running for about 1 year with a budget of at\nleast $15 million. Projects considered to be mission-critical or strategically\nimportant for the Department are reviewed, even though they may not be\ncostly, because of the high risk involved with meeting the Department\xe2\x80\x99s\nmission. The DERB\xe2\x80\x99s Department-level oversight occurs in meetings where\nmembers discuss the investments as well as the planning, budget, risk, and\nassessment of current component projects. The first official DERB meeting\nwas in November 2004 and since its inception, the DERB has met\napproximately five times. We found that while the DERB contributes to the\ncohesive nature of the ITSM framework, it is neither as comprehensive in its\nfunctions nor as capable of devoting sufficient time to individual projects as\nthe disbanded boards that were designed to be tailored to specific IT\nresources.\n\nConclusion\n\n      The Clinger-Cohen Act and OMB Circular A-130 require agencies to\nensure that IT investments are made with an overall focus on the agency\xe2\x80\x99s\nmission and with senior management oversight. When ITIM processes using\na select, control, and evaluate methodology are performed properly, the\n\n\n      15\n         The CIO Council includes the designated CIOs who were represented on the\nDepartment\xe2\x80\x99s Strategic Management Council, including the Federal Bureau of Prisons, FBI,\nDEA, and Civil Division.\n\n                                         - 45 -\n\x0cagency should reduce the risk and maximize the benefits from IT\ninvestments.\n\n       In March 2001, the Department issued Order 2880.1A, which required\nits components to implement ITIM methodologies and submit these\nmethodologies for review by the Department CIO. The Department also\nprovided guidance for developing ITIM processes. The Department planned\nto rely on the components\xe2\x80\x99 submissions to meet ITIM requirements. While\nmost components submitted ITIM plans, progress was slow to implement\nITIM processes. This strategy did not provide the components with a clear\nvision of how they should create their ITIM processes to meet the overall\nmission of the Department, as the Department did not have a fully\ndeveloped IT Strategic Plan or Enterprise Architecture that would outline the\noverall mission of the Department and identify the IT investments that\nshould be made to achieve that mission.\n\n      In 2004 the Department developed the ITSM framework, which was\ndesigned to lead to Department-level ITIM processes. In our judgment, the\nITSM framework can result in fully mature ITIM processes if carried out\nproperly. The Department\xe2\x80\x99s ITSM Framework includes the funding,\noversight, and planning requirements outlined in the Clinger-Cohen Act. The\nDepartment has made some progress in implementing the processes\noutlined in its ITSM. Still, not all of the processes have been implemented.\nFor example, the Investment Planning Guide and enterprise portfolio are two\nkey elements of the ITSM that are not yet fully implemented. Without these\nelements, the Department cannot provide components with a complete\npicture of what investments should be pursued. Additionally, it is not clear\nthat all of the Department\xe2\x80\x99s IT investments will be adequately covered by\nthe ITSM.\n\n      We believe that if the Department\xe2\x80\x99s ITSM is successfully implemented,\nmature ITIM processes will result. However, at this early stage it is difficult\nto assess whether all the components will have developed compatible ITIM\nprocesses or be covered adequately by the Department\xe2\x80\x99s ITIM processes.\nMajor components, such as the DEA and FBI, are well ahead of the\nDepartment and its ITSM development.\n\n       The ultimate success of the Department\xe2\x80\x99s current efforts to develop\nmature ITIM processes is difficult to evaluate at this early stage. The effort\nis likely to take years, and the Department has no firm schedule for\ndeveloping its ITIM processes or ensuring the development of compatible\ncomponent-level ITIM processes. In the meantime, the Department risks\ninvesting in or maintaining systems that are duplicative or may need to be\n\n\n                                    - 46 -\n\x0creplaced, altered, or eliminated if they do not align with the mission and the\ngoals of the Department.\n\nRecommendations\n      We recommend that JMD:\n\n      4.   Fully implement the phases outlined by the ITSM framework to\n           ensure that all Department IT investments are covered by an ITIM\n           process.\n\n      5.   Ensure that components requiring ITIM processes develop them.\n\n      6.   Provide assistance to components in developing and implementing\n           ITIM processes and providing value-added services.\n\n      7.   Establish a clear schedule for the completion of the ITSM\n           framework and the completion of a mature ITIM process.\n\n\n\n\n                                    - 47 -\n\x0c                   STATEMENT ON COMPLIANCE\n                  WITH LAWS AND REGULATIONS\n\n       We have audited the Department\xe2\x80\x99s management of Enterprise\nArchitecture and IT investments. The audit was conducted in accordance\nwith Government Auditing Standards. As required by the standards, we\nreviewed management processes and records to obtain reasonable\nassurance about the Department\xe2\x80\x99s compliance with laws and regulations\nthat, if not complied with, in our judgment could have a material effect on\nDepartment operations. Compliance with laws and regulations applicable to\nthe Department\xe2\x80\x99s handling of Enterprise Architecture and IT investments is\nthe responsibility of the Department\xe2\x80\x99s management.\n\n      Our audit included examining, on a test basis, evidence about laws and\nregulations. The specific laws and regulations against which we conducted\nour tests are contained in the relevant portions of the Clinger-Cohen Act of\n1996, OMB Circular A-11 \xc2\xa7 300, and OMB Circular A-130.\n\n     The Clinger-Cohen Act of 1996:\n\n     \xe2\x80\xa2   as applied to Enterprise Architecture, requires the CIOs for major\n         departments and agencies to develop, maintain, and facilitate the\n         implementation of architectures as a means of integrating business\n         processes and agency goals with IT; and\n\n     \xe2\x80\xa2   as applied to ITIM, defines requirements for capital planning and\n         control of IT investments and mandates a select/control/evaluate\n         approach that federal agencies must follow.\n\n     OMB Circular A-11, \xc2\xa7 300:\n\n     \xe2\x80\xa2   as applied to ITIM, establishes the criteria for completing Exhibits\n         300, which is the format used to represent the purpose for the\n         proposed investment to agency management and the OMB.\n\n     OMB Circular A-130:\n\n     \xe2\x80\xa2   as applied to Enterprise Architecture, requires agencies to create an\n         Enterprise Architecture Framework; once a framework is\n         established, an agency must create and maintain an Enterprise\n         Architecture; and\n\n\n\n\n                                    - 48 -\n\x0c     \xe2\x80\xa2   as applied to ITIM, defines requirements for capital planning and\n         control of IT investments using a select/control/evaluate approach.\n\n      As noted in the Finding and Recommendations section of our report,\nthe Department has not yet established an Enterprise Architecture or ITIM\nprocesses and therefore is not in compliance with the Clinger-Cohen Act,\nOMB guidance, and Department regulations. However, the Department is\nactively developing and implementing new frameworks aimed at establishing\nan Enterprise Architecture and ITIM processes in the future. Also, some\nDepartment components, such as the FBI and the DEA, have made progress\nin developing component-level Enterprise Architectures and ITIM processes.\n\n\n\n\n                                   - 49 -\n\x0c              STATEMENT ON INTERNAL CONTROLS\n\n      In planning and performing our audit of the Department\xe2\x80\x99s\nmanagement of its Enterprise Architecture and IT investments, we\nconsidered the Department\xe2\x80\x99s internal controls for the purpose of determining\nour audit procedures. This evaluation was not made for the purpose of\nproviding assurance on the internal control structure as a whole. However,\nwe noted certain matters that we consider to be reportable conditions under\nGovernment Auditing Standards.\n\n       Reportable conditions involve matters coming to our attention relating\nto significant deficiencies in the design or operation of the internal control\nstructure that, in our judgment, could adversely affect the Department\xe2\x80\x99s\nability to manage its Enterprise Architecture and IT investments. During our\naudit, we identified the following internal control concerns.\n\n      \xe2\x80\xa2   The Department has not yet completed an Enterprise Architecture\n          to drive its IT investments.\n\n      \xe2\x80\xa2   The Department has not yet implemented the control and evaluate\n          processes necessary to complete its IT investment capability.\n\n      \xe2\x80\xa2   The Department does not provide adequate oversight of\n          components\xe2\x80\x99 Enterprise Architecture and ITIM efforts.\n\n      Because we are not expressing an opinion on the Department\xe2\x80\x99s internal\ncontrol structure as a whole, this statement is intended solely for the\ninformation and use of the Department in managing its Enterprise\nArchitecture and IT investments. This restriction is not intended to limit the\ndistribution of this report, which is a matter of public record.\n\n\n\n\n                                    - 50 -\n\x0c                                                               APPENDIX 1\n\n                OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\n       The objective of the audit was to determine whether the Department is\neffectively managing its Enterprise Architecture and IT investments.\n\nScope and Methodology\n\n      The audit was performed in accordance with Government Auditing\nStandards, and included tests and procedures necessary to accomplish the\naudit objectives. We conducted work at the Department and its Justice\nManagement Division in Washington, D.C.\n\n      To perform our audit, we interviewed Department and GAO officials,\nand reviewed documents related to Enterprise Architecture and IT\nmanagement policies and procedures, project management guidance,\nstrategic plans, IT project proposals, budget documentation, organizational\nstructures, and prior GAO and OIG reports.\n\n      To determine the Department\xe2\x80\x99s progress in developing an Enterprise\nArchitecture, we used the GAO\xe2\x80\x99s Enterprise Architecture Management\nframework as criteria. As part of our assessment of the Department\xe2\x80\x99s\nEnterprise Architecture, the Department completed a survey developed by\nthe GAO to identify which of the core elements in the GAO\xe2\x80\x99s Enterprise\nArchitecture Management framework were implemented. We reviewed the\nsurvey and obtained supporting documentation for the core elements that\nthe Department said were implemented. We did not test or review\ndocumentation for the core elements that the Department considered not\nimplemented or partially implemented.\n\n      To determine whether the Department is effectively managing its IT\ninvestments, we reviewed the GAO\xe2\x80\x99s ITIM framework in relation to the\nDepartment\xe2\x80\x99s ITSM and also the Department\xe2\x80\x99s regulations, IT polices and\nprocedures, program managers\xe2\x80\x99 presentations, meeting minutes, training\nagenda, and other information. Based on interviews and our review of\ndocumentation provided by Department officials, we determined the status\nof their efforts to develop ITIM processes.\n\n      To determine whether the Department was providing effective\noversight to its components\xe2\x80\x99 Enterprise Architecture and ITIM efforts, we\n\n\n                                   - 51 -\n\x0creviewed DOJ Order 2880.1A and determined through interviews and\ndocumentation the extent to which those efforts were formally guided and\nmonitored.\n\n\n\n\n                                  - 52 -\n\x0c         APPENDIX 2\n\n\n\n\n- 53 -\n\x0c                          DEPARTMENT OF JUSTICE\n                 OFFICE OF THE CHIEF INFORMATION OFFICER\n\n\n                       Chief\n                       Information\n                       Officer\n\n\n                           Immediate Office\n                            of the Director\n\n\n                           Director, Budget Director\n\n\n\nDeputy CIO, E-         Deputy CIO, IT            Deputy CIO,             Deputy CIO,               Deputy CIO,\n Government               Policy &                Enterprise             Operations                IT Security\nServices Staff         Planning Staff           Solutions Staff\n                                                                        Services Staff                Staff\n\n\n       Office of the          Office of the             Office of the          Office of the           Office of the\n         Director               Director                  Director               Director                Director\n\n\n\n       E-Government           Architecture              Contracts               Computer               Information\n          Services              Services               Management                Services                Security\n                                                         Services                                        Services\n\n\n         Wireless            Business Process           JABS Program             Systems\n                              Reengineering              Management\n       Management                                                               Technology\n                                 Services                   Office\n         Services                                                                Services\n\n\n                              Investment               JCON Program           Telecommunications\n                                                                                    Services\n                              Management                Management\n                                                           Office\n                                Services\n\n\n                                Policy and               Systems\n                             Planning Support\n                                                       Development\n                                 Services\n                                                         Services\n\n\n\nSource: Justice Management Division\n\n\n\n\n                                                - 54 -\n\x0c                                                          APPENDIX 3\n                             ACRONYMS\nATF     Bureau of Alcohol, Tobacco, Firearms, and Explosives\nCFR     Code of Federal Regulations\nCIO     Chief Information Officer\nCTO     Chief Technology Officer\nDEA     Drug Enforcement Administration\nDERB    Department Executive Review Board\nDOJ     Department of Justice\nEA      Enterprise Architecture\nEAC     Enterprise Architecture Committee\nFBI     Federal Bureau of Investigation\nFEAF    Federal Enterprise Architecture Framework\nFEAMS   Federal Enterprise Architecture Management System\nFY      Fiscal Year\nGAO     Government Accountability Office\nIRM     Information Management Resources\nIT      Information Technology\nITIM    Information Technology Investment Management\nITSM    Information Technology Strategic Management\nJCON    Justice Consolidated Office Network\nJMD     Justice Management Division\nOCIO    Office of the Chief Information Officer\nOIG     Office of the Inspector General\nO&M     Operations and Maintenance\nOMB     Office of Management and Budget\nPKI     Public Key Infrastructure\nSDLC    Systems Development Life Cycle\nTRM     Technical Reference Model\nUFMS    Unified Financial Management System\n\n\n\n                                  - 55 -\n\x0c                                                                                                           APPENDIX 4\n\n        SUMMARY OF ENTERPRISE ARCHITECTURE MANAGEMENT FRAMEWORK\xe2\x80\x99S\n       MATURITY STAGES, CRITICAL SUCCESS ATTRIBUTES, AND CORE ELEMENTS\n                                                                                                                     Stage 5:\n\n                                                                                      Stage 4:                       Leveraging\n                                                            Stage 3:                  Completing EA products         the EA to manage\n                                                            Developing EA\n                                Stage 2:                    products                                                 change\n                  Stage 1:      Building the EA\n                  Creating EA   management\n                  awareness     foundation\nAttribute 1:                    Adequate resources          Written and approved      Written and approved           Written and approved\nDemonstrates                    exist.                      organization policy       organization policy exists     organization policy\ncommitment                      Committee or group          exists for EA             for EA maintenance.            exists for IT\n                                representing the            development.                                             investment\n                                enterprise is responsible                                                            compliance with EA.\n                                for directing,\n                                overseeing, or approving\n                                EA.\nAttribute 2:                    Program office              EA products are under     EA products and                Process exists to\nProvides                        responsible for EA          configuration             management processes           formally manage EA\ncapability to                   development and             management.               undergo independent            change.\n                                maintenance exists.                                   verification and validation.   EA is integral\nmeet                            EA is being developed                                                                component of IT\ncommitment                      using a framework,                                                                   investment\n                                methodology, and                                                                     management process.\n                                automated tool.\nAttribute 3:                    EA plans call for           EA products describe      EA products describe both      EA products are\nDemonstrates                    describing both the \xe2\x80\x9cas     or will describe both     the \xe2\x80\x9cas is\xe2\x80\x9d and the \xe2\x80\x9cto-be\xe2\x80\x9d    periodically updated.\n                                is\xe2\x80\x9d and the \xe2\x80\x9cto-be\xe2\x80\x9d         the \xe2\x80\x9cas is\xe2\x80\x9d and the       environments of                IT investments\nsatisfaction of\n                                environments of the         \xe2\x80\x9cto-be\xe2\x80\x9d environments      enterprise, as well as a       comply with EA.\ncommitment                      enterprise, as well as a    of enterprise, as well    sequencing plan for            Organization head has\n                                sequencing plan for         as a sequencing plan      transitioning from the \xe2\x80\x9cas     approved current\n                                transitioning from the      for transitioning from    is\xe2\x80\x9d to the \xe2\x80\x9cto-be.\xe2\x80\x9d            version of EA.\n                                \xe2\x80\x9cas is\xe2\x80\x9d to the \xe2\x80\x9cto-be.\xe2\x80\x9d     the \xe2\x80\x9cas is\xe2\x80\x9d to the \xe2\x80\x9cto-   Both the \xe2\x80\x9cas is\xe2\x80\x9d and the\n                                EA plans call for           be.\xe2\x80\x9d                      \xe2\x80\x9cto-be\xe2\x80\x9d environments are\n                                describing both the \xe2\x80\x9cas     Both the \xe2\x80\x9cas is\xe2\x80\x9d and      described in terms of\n                                is\xe2\x80\x9d and the \xe2\x80\x9cto-be\xe2\x80\x9d         the \xe2\x80\x9cto-be\xe2\x80\x9d               business, performance,\n                                environments in terms       environments are          information/data,\n                                of business,                described or will be      application/service, and\n                                performance,                described in terms of     technology.\n                                information/data,           business,                 Business, performance,\n                                application/service, and    performance,              information/data,\n                                technology descriptions     information/data,         application/service, and\n                                to address security.        application/service,      technology descriptions\n                                                            and technology.           address security.\n                                                            Business,                 Organization CIO has\n                                                            performance,              approved current version\n                                                            information/data,         of EA.\n                                                            application/service,      Committee or group\n                                                            and technology            representing the enterprise\n                                                            descriptions address      or the investment review\n                                                            or will address           board has approved\n                                                            security.                 current version of EA.\nAttribute 4:                    EA plans call for           Progress against EA       Quality of EA products is      Return on EA\nVerifies                        developing metrics for      plans is measured         measured and reported.         investment is\nsatisfaction of                 measuring EA progress,      and reported.                                            measured and\n                                quality, compliance, and                                                             reported.\ncommitment                      return on investment.                                                                Compliance with EA is\n                                                                                                                     measured and\n                                                                                                                     reported.\n\n\n                                                       Maturation\n       Note: Enterprise Architecture (EA)\n       Source: Government Accountability Office\n                                                                                                           APPENDIX 5\n\n                                                            - 56 -\n\x0c                    SUMMARY OF GAO ITIM FRAMEWORK\n\n       The ITIM framework is a hierarchical model comprised of five maturity\nstages. Each stage builds upon the lower stages and represents a step\ntoward achieving both stable and effective ITIM processes. A summary of\nthe five stages is presented below.\n\n                      THE FIVE ITIM MATURITY STAGES\n\n\n\n\nSource: Government Accountability Office\n\n       Stage 1 describes the state of an organization prior to any framework\nimplementation and does not contain critical processes. Maturity stages 2\nthrough 5 are composed of a series of critical processes, each of which must\nbe implemented and institutionalized for an organization to satisfy stage\nrequirements and advance to the next stage. The ITIM framework also\nbreaks down each critical process into a set of key practices. Key practices\nare specific tasks and conditions that must be in place for an organization to\nimplement effectively the necessary critical processes. A summary of ITIM\ncritical processes for each maturity stage is presented in the following chart.\n\n\n\n\n                                           - 57 -\n\x0c                       CRITICAL PROCESS SUMMARIES\n\n\n\n\n          Source: Government Accountability Office\n\n       Four core elements comprise each critical process in the ITIM\nframework. These elements indicate whether the implementation and\ninstitutionalization of a process can be effective and repeated. The four core\nelements outlined in the ITIM framework are: (1) purpose,\n          (1) organizational commitment, (3) prerequisites, and (4)\n                activities. The following chart illustrates the relationship\n                between the four core elements.\n\n                 THE FOUR CRITICAL PROCESS ELEMENTS\n\n\n\n\nSource: Government Accountability Office\n\n\n\n                                           - 58 -\n\x0c      Each core element, except for the \xe2\x80\x9cpurpose\xe2\x80\x9d core element, contains\nspecific key practices. The ITIM framework states that these key practices\nare the attributes and activities that contribute most to implementing and\nstandardizing a critical process.\n\n\n\n\n                                   - 59 -\n\x0c                                                                     APPENDIX 6\n\n\n               DEPARTMENT PROGRESS THROUGH STAGE 3 OF THE\n             ENTERPRISE ARCHITECTURE MANAGEMENT FRAMEWORK\n\n\n                       Core Elements                                 Status\n                                                                             Not\n                                                             Implemented Implemented\nSTAGE 2\nCritical Attribute #1: Demonstrates Commitment\nAdequate Resources                                                            9\nEnterprise Architecture Governing Committees                                  9\nCritical Attribute #2: Capability to Meet Commitment\nEnterprise Architecture Program Office                           9\nAppointment of Chief Architect                                   9\nEnterprise Architecture Development Using a Framework,                        9\nMethodology, and Automated Tool\nCritical Attribute #3: Demonstrates Satisfaction of\nCommitment\nEnterprise Architecture Program Plan Development                 9\nSecurity                                                         9\nCritical Attribute #4: Verifies Satisfaction of Commitment\nEnterprise Architecture Progress Measurement                                  9\nSTAGE 3\nCritical Attribute #1: Demonstrates Commitment\nEnterprise Architecture Development Policy                                    9\nCritical Attribute #2: Capability to Meet Commitment\nEnterprise Architecture Products Under Configuration\nManagement                                                                    9\nCritical Attribute #3: Demonstrates Satisfaction of\nCommitment\nDevelop \xe2\x80\x9cAs-is,\xe2\x80\x9d \xe2\x80\x9cTo-be,\xe2\x80\x9d and Transition Architectures                        9\nSecurity                                                         9\n\n\n\n                                               - 60 -\n\x0c                       Core Elements                                 Status\n                                                                             Not\n                                                             Implemented Implemented\n\nCritical Attribute #4: Verifies Satisfaction of Commitment\nMeasure and Report Enterprise Architecture Progress                           9\nSource: Office of the Inspector General.\n\n\n\n\n                                             - 61 -\n\x0c                                                               APPENDIX 7\n\n              THE THREE COMPONENTS OF THE ITIM PROCESS\n\n     Select Phase\n\n     In the Select phase of the capital planning and investment control\nprocess, A-130 requires agencies to:\n\n     \xe2\x80\xa2   determine whether the investment will support core mission\n         functions;\n\n     \xe2\x80\xa2   demonstrate a projected return on investment that is clearly equal\n         to or better than alternative uses of available public resources;\n\n     \xe2\x80\xa2   prepare and update a benefit-cost analysis for each information\n         system through its life cycle;\n\n     \xe2\x80\xa2   prepare and maintain a portfolio of major information systems;\n\n     \xe2\x80\xa2   ensure consistency with federal, agency, and bureau Enterprise\n         Architectures;\n\n     \xe2\x80\xa2   ensure investments are not duplicative; and\n\n     \xe2\x80\xa2   establish oversight mechanisms to ensure the continuing security,\n         interoperability, and availability of systems and data.\n\n     Control Phase\n\n     In the Control phase of the capital planning and investment control\nprocess, A-130 requires agencies to:\n\n     \xe2\x80\xa2   institute performance measures and management processes that\n         monitor actual performance compared to expected results;\n\n     \xe2\x80\xa2   establish oversight mechanisms to determine whether information\n         systems continue to fulfill ongoing and anticipated mission\n         requirements;\n\n     \xe2\x80\xa2   ensure that information systems meet established milestones,\n         deliver intended benefits, meet user requirements, and identify and\n         offer security protections;\n\n\n                                   - 62 -\n\x0c     \xe2\x80\xa2   prepare and update a strategy that identifies and mitigates risks\n         associated with each information system; and\n\n     \xe2\x80\xa2   ensure that agency Enterprise Architecture procedures are followed.\n\n     Evaluate Phase\n\n     In the Evaluate phase of the capital planning and investment control\nprocess, A-130 requires agencies to:\n\n     \xe2\x80\xa2   conduct post-implementation reviews of information systems and\n         information resource management processes to validate estimated\n         benefits and costs and document effective management practices\n         for broader use;\n\n     \xe2\x80\xa2   evaluate systems to ensure positive return on investment and\n         decide whether continuation, modification, or termination of the\n         systems is necessary to meet agency mission requirements;\n\n     \xe2\x80\xa2   document lessons learned from the post-implementation reviews,\n         and redesign oversight mechanisms and performance levels to\n         incorporate acquired knowledge;\n\n     \xe2\x80\xa2   re-assess an investment\xe2\x80\x99s business case, technical compliance, and\n         compliance against the Enterprise Architecture; and\n\n     \xe2\x80\xa2   update the Enterprise Architecture and IT capital planning\n         processes as needed.\n\n\n\n\n                                    - 63 -\n\x0c                                                                           APPENDIX 8\n                                   PRIOR REPORTS\n\n      We identified eight IT-related reports issued since\nMay 2000 by the GAO and the OIG that are relevant to this audit. In\nMay 2000, the GAO reported that although almost all federal agencies had\ncreated some type of ITIM process, none had yet implemented stable\nprocesses addressing all three phases of the select-control-evaluate\napproach. 16 According to the GAO, one barrier to implementing reliable ITIM\nhas been the lack of specific guidance on the required processes.\n\n      In February 2002, the GAO reported that the federal government as a\nwhole had not reached a mature state of Enterprise Architecture\nmanagement. 17 In particular, about 52 percent of federal agencies reported\nhaving at least the management foundation that is needed to begin\nsuccessfully developing, implementing, and maintaining an Enterprise\nArchitecture, but about 48 percent of agencies had not yet advanced to this\nbasic stage of maturity. In November 2003, the GAO updated its 2002\nreport and concluded that little progress had occurred in agencies\xe2\x80\x99 Enterprise\nArchitecture management. 18\n\n       In April 2002, pursuant to the FY 2001 Government Information\nSecurity Reform Act, the OIG issued a report on JMD\xe2\x80\x99s Rockville and Dallas\nData Centers IT system. The report identified vulnerabilities with\nmanagement, operational, and technical controls. The report noted\nsignificant vulnerabilities in the following areas:\n\n       \xe2\x80\xa2    security policies and procedures,\n\n       \xe2\x80\xa2    authorization of software changes,\n\n       \xe2\x80\xa2    contingency planning,\n\n\n\n\n       16\n         The report is entitled Information Technology Investment Management: An\nOverview of GAO\xe2\x80\x99s Assessment Framework (GAO/AIMD-00-155), dated May 2000.\n       17\n          The report is entitled Information Technology, Enterprise Architecture Use Across\nthe Federal Government Can Be Improved (GAO-02-6), dated February 2002.\n       18\n         The report is entitled Information Technology, Leadership Remains Key to\nAgencies Making Progress on Enterprise Architecture Efforts (GAO-04-40), dated November\n2003.\n\n\n\n                                          - 64 -\n\x0c      \xe2\x80\xa2   password management,\n\n      \xe2\x80\xa2   logon management,\n\n      \xe2\x80\xa2   account integrity management, and\n\n      \xe2\x80\xa2   system auditing management.\n\n     The report stated that these vulnerabilities occurred because JMD\nlacked sufficient guidance, adequate security polices, and effective\nenforcement of policies.\n\n       In December 2002, the OIG issued a report on the FBI\xe2\x80\x99s Management\nof IT Investments. The OIG reported that the FBI did not have a fully\ndeveloped enterprise architecture. Also, the FBI was not effectively\nselecting, controlling, and evaluating its IT investments because it had not\nfully implemented any of the critical processes necessary for successful ITIM.\n\n      In May 2003, also pursuant to the FY 2001 Government Information\nSecurity Reform Act, the OIG issued a report on JMD\xe2\x80\x99s Justice\nCommunications Network IT system. The report identified vulnerabilities\nwith the IT system including management, operational, and technical\ncontrols. The report noted significant vulnerabilities in the following areas:\n\n      \xe2\x80\xa2   review of security controls,\n\n      \xe2\x80\xa2   personnel security,\n\n      \xe2\x80\xa2   contingency planning,\n\n      \xe2\x80\xa2   hardware and system software maintenance,\n\n      \xe2\x80\xa2   documentation,\n\n      \xe2\x80\xa2   identification and authentication, and\n\n      \xe2\x80\xa2   logical access controls.\n\n      The report stated that these vulnerabilities occurred because JMD had\nnot implemented Department policies or updated security information and\nprocedures.\n\n\n\n\n                                     - 65 -\n\x0c      In June 2004, pursuant to the Federal Information Security\nManagement Act, the OIG issued an oversight and information systems\nconsolidated report. The report identified JMD vulnerabilities in the following\nareas:\n\n      \xe2\x80\xa2   vulnerability tracking capability and documented structured\n          compliance evaluation procedures,\n\n      \xe2\x80\xa2   oversight,\n\n      \xe2\x80\xa2   creating specific goals,\n\n      \xe2\x80\xa2   components documenting systems configuration management\n          process for their systems,\n\n      \xe2\x80\xa2   components adequately developing and distributing Rules of\n          Behavior to all employees and contractors prior to the gaining\n          access to the systems, and\n\n      \xe2\x80\xa2   components reporting computer security incidents to the\n          Department of Justice Computer Emergency Response Team in a\n          timely manner.\n\n       In September 2004, the OIG issued a report on the Drug Enforcement\nAdministration\xe2\x80\x99s Management of Enterprise Architecture and IT Investments.\nThe OIG found that the Drug Enforcement Administration had completed\nnearly 90 percent of the Enterprise Architecture Management Framework\ncriteria for meeting the second of five levels of maturity. Also, the Drug\nEnforcement Administration had attained Stage 2 of the five maturity stages\noutlined in the GAO ITIM Framework.\n\n\n\n\n                                     - 66 -\n\x0c                                                                        APPENDIX 9\n\n                    DEPARTMENT ITSM FRAMEWORK\xe2\x80\x99S\n                  CONTINUOUS INTEGRATED PROCESSES\n\n      According to the Department\xe2\x80\x99s ITSM framework, IT Investments can\nbe categorized as development projects, Operations and Maintenance (O&M)\nprojects, and management processes. Development projects are those\nwhich are either new or undergoing major enhancements. O&M projects are\nconsidered steady state, meaning they are fully operational and continue to\noperate without significant enhancements. Management processes are on-\ngoing business operations as opposed to projects with a scheduled start and\nend date. All three types of investments grow through defined models.\nDevelopment projects evolve through the Department System Development\nLife Cycle (SDLC), O&M projects evolve through the Department Operations\nAnalysis Model, and management processes mature according to the\nDepartment Process Maturity Model.\n\n      The SDLC Model is used to manage system projects. The SDLC,\nestablished in 2003, has not yet been updated. According to the ITSM\nframework, the SDLC will be updated and streamlined to provide the\nsequence of activities that are needed to support Department-wide project\nmanagement, oversight, and performance management of development\nprojects. The SDLC will be used to compute the earned value of investment\nprojects as they progress through the system development phases. 19\nAccording to a Department official, the current version of the SDLC is being\nmodified to incorporate additional development process models and perform\nprocess streamlining; however, the existing SDLC is still used by\ncomponents and is considered sufficient.\n\n        ITSM Business Cycle\n\n      The framework phases are applied to the ITSM Business Cycle, which\nis based on the OMB 3-year budget cycle. The ITSM Business Cycle spreads\nbeyond 3 years to reflect multiple operating years for development and\nsubsequent operations and maintenance of investments. The framework\nconsists of select, control, and evaluate processes. The IT Planning Phase\nand the IT Funding and Architecture Phases, which occur during the planning\nyear and budget year, equate to the select process. The IT Investment\nOversight Phase, which occurs in multiple operation years, equates to the\ncontrol and evaluate processes.\n\n   19\n      The SDLC consists of 10 phases projects must go through to be maintained and\nreviewed.\n\n                                        - 67 -\n\x0c     ITSM Core Processes and Products\n\n     The ITSM framework phases are composed of core interlocking\nprocesses that perform the business of each phase by passing core products\nfrom one core process to another. Each core product and process supports\nthe Department enterprise portfolio.\n\n     ITSM Continuous Integrated Processes\n\n      The core products of the ITSM framework are the culmination of\ncontributions from other Department business areas: (1) portfolio\nmanagement, (2) Enterprise Architecture, (3) human capital, (4) information\nsecurity, (5) E-Gov, (6) infrastructure management, and (7) business\noperations. Each of these business areas is integrated at the appropriate\nplaces in the ITSM core processes to provide substantial input towards the\nITSM core products. The ITSM continuous integrated processes and the\nITSM framework represent the total workings of the Department.\n\n     ITSM Enterprise Portfolio\n\n      The enterprise portfolio, as discussed in Finding 1, is one of the main\nproducts of the Department and inventories the Department\xe2\x80\x99s IT assets.\nThe portfolio will be made up of investments, also referred to as projects,\nprograms, systems, and architecture capabilities. It is the enterprise\nportfolio that will serve as the base data for the Department to integrate\ninformation among mid-level management and senior-level decision support.\n\n     ITSM Performance Measurements\n\n      Performance measures are used to determine if strategic objectives\nare being met at the investment level. Performance measures consist of\ngoals and metrics used to determine if the goals are being met. The goals\nare developed from the strategic objectives within the IT Strategic Plan. The\nlink between the strategic objective and the investment, and the goal and\nmetric, enables decision-makers to attribute success from an investment to\na strategic objective.\n\n\n\n\n                                   - 68 -\n\x0c                                     APPENDIX 10\nTHE DOJ\xe2\x80\x99S RESPONSE TO THE DRAFT REPORT\n\n\n\n\n                - 69 -\n\x0c- 70 -\n\x0c- 71 -\n\x0c- 72 -\n\x0c                                                              APPENDIX 11\n\n\n        OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S ANALYSIS AND\n        SUMMARY OF ACTIONS NECESSARY TO CLOSE REPORT\n\n       Pursuant to the OIG\xe2\x80\x99s standard audit process, the OIG provided a draft\nof this audit report to the Department of Justice on September 26, 2005, for\nits review and comment. The Department\xe2\x80\x99s October 20, 2005, response is\nincluded in Appendix 10 of this final report. The Department concurred with\nall seven recommendations in the audit report. Our analysis of the DOJ\xe2\x80\x99s\nresponse to the seven recommendations is provided below.\n\nStatus of Recommendations\n\n     1. Resolved. This recommendation is resolved based on the\n        Department\xe2\x80\x99s agreement to complete a Department-wide Enterprise\n        Architecture. This recommendation can be closed when we receive\n        documentation demonstrating that the Department has completed\n        an organization-wide Enterprise Architecture.\n\n     2. Resolved. This recommendation is resolved based on the\n        Department\xe2\x80\x99s agreement to provide guidance to components for\n        the development and maintenance of Enterprise Architectures.\n        This recommendation can be closed when we receive\n        documentation demonstrating that the Department has issued\n        guidance to its components for the development and maintenance\n        of Enterprise Architectures.\n\n     3. Resolved. This recommendation is resolved based on the\n        Department\xe2\x80\x99s agreement to track and review the planning,\n        development, completion, and updating of component-level\n        Enterprise Architectures. This recommendation can be closed when\n        we receive documentation demonstrating that the Department is\n        tracking and reviewing the plans, development, completion, and\n        updating of component-level Enterprise Architectures.\n\n     4. Resolved. This recommendation is resolved based on the\n        Department\xe2\x80\x99s agreement to fully implement the phases outlined by\n        the ITSM framework to ensure that all Department IT investments\n        are covered by an ITIM process. This recommendation can be\n        closed when we receive documentation demonstrating that all\n        Department IT investments are covered by an ITIM process.\n\n     5. Resolved. This recommendation is resolved based on the\n        Department\xe2\x80\x99s agreement to ensure that its components requiring\n\n\n                                   - 73 -\n\x0c                                                     APPENDIX 11\n\n\n   ITIM processes develop such processes. This recommendation can\n   be closed when we receive documentation demonstrating that the\n   Department has ensured that its components requiring ITIM\n   processes have developed such processes.\n\n6. Resolved. This recommendation is resolved based on the\n   Department\xe2\x80\x99s agreement to provide assistance to its components in\n   developing and implementing ITIM processes and providing value-\n   added services. This recommendation can be closed when we\n   receive documentation demonstrating that the Department has\n   provided assistance to its components in developing and\n   implementing ITIM processes.\n\n7. Resolved. This recommendation is resolved based on the\n   Department\xe2\x80\x99s agreement to establish a clear schedule for the\n   completion of the ITSM Framework and the completion of a mature\n   ITIM process. This recommendation can be closed when we\n   receive documentation demonstrating that a schedule has been\n   established for the completion of the ITSM Framework and the\n   Department has implemented a mature ITIM process.\n\n\n\n\n                            - 74 -\n\x0c"